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IBM Extends ALM With 
Acquisition of Telelogic 

US$745 million purchase adds embedded tools 



BY JEFF FEINMAN 

With IBM's expected 
acquisition of develop- 
ment tool maker Telelog- 
ic for US$745 million, 
one industry expert said 
that IBM Rational might 
be taking steps to rede- 
fine ALM. At the same ^^^ 
time, executives at competing 
companies said the acquisition is 
a way for IBM to strengthen 
parts of its ALM offering. 

IBM is making a long-term 
bet that the requirements of the 
embedded world are going to 
converge with those of the tradi- 
tional IT space. Telelogic s prod- 
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uct line covers a broad 
range of software used 
in developing complex 
embedded systems such 
as aircraft radar and 
antilock braking systems. 
Those tools include 
the Doors requirements 
^^^m management family, the 
Rhapsody systems engineering 
environment, the Synergy 
change and configuration man- 
agement suite, and the Tau mod- 
eling environment. 

Upon the close of the acquisi- 
tion, Telelogic will become part 
of the IBM Rational business 
continued on page 33 ► 



Europa Release Marks 
Major Eclipse Overhaul 



BY ALEX HANDY 

The Eclipse Europa simultaneous 
release, which includes version 3.3 
of the Eclipse IDE and updates to 
21 projects, was set to be released 
to the public in late June. 

Eclipse IDE 3.3 includes a 
new keystroke-based way to step 
through method collections, new 
ways to handle unresolved 
names, and the ability to browse 
objects in a Java Virtual Machine 
when running Java SE 6. 

But with 21 companion pro- 
jects included in part of 
Europa, it's a sure bet that one's 
favorite tools are back again 
with new capabilities. While 
standbys such as the Business 



Intelligence and Reporting 
Tools (BIRT) suite and the Test 
and Performance Tools Plat- 
form (TPTP) have returned 
with support for Windows Vista 
and Java SE 6, new tools are 
also on board with their own 
bells and whistles. 

Mike Milinkovich, executive 
director of the Eclipse Founda- 
tion, noted that two of the newest 
Eclipse tools have brought some 
of the most interesting updates to 
the Europa release. 

The first, a workflow tool for- 
merly known as Mylar, has been 
renamed Mylyn to avoid trade- 
mark issues. With the release of 
Mylyn 2.0 as part of Europa, the 



tool enhances its ability to view 
workflows as tasks. "This is one of 
the really interesting projects at 
Eclipse for the individual Java 
developer," said Milinkovich. "It 
gives instant access to a task UI, 
and integrations with tools devel- 
opers constantly use, like Bugzil- 
la and Jira." 

Another new unit of the 
Europa release, the SOA Tools 
Platform, is arriving just a few 
months after it was first 
announced. "It's a pretty inter- 
esting feature set for a 1.0 
release," Milinkovich noted, 
adding that it offers JAX-WS ser- 
vice development, a BPM dia- 
continued on page 28 ► 



Tech-Ed 2007: No Overarching Vision 



BY DAVID WORTHINGTON 

ORLANDO, FLA. — 

Microsoft stayed on mes- 
sage at this year's Tech-Ed 
held here about its current, 
and soon-to-be-delivered, 
platforms, applications and tools, 
but when questioned about the 
future, like a Magic 8-Ball it 
answered, "Better not tell you 
now." Spokesperson after spokes- 
person finessed their way around 
discussing the company's "vision," 
and refused to discuss the compa- 
ny's future products. But even if 
the discussions were short of pre- 
dictions, a series of technical 
breakout sessions, seminars and 
classes engrossed developers in 
all things Microsoft. 

Bob Muglia, senior vice presi- 




dent of Microsoft's server and tools 
business unit, kicked off Tech-Ed 
2007 with his June 4 keynote. 
Sharing the stage was "Back to the 
Future" movie actor Christopher 



Lloyd, who, armed with his "MS- 
BS detector" and an authentic 
DeLorean DMC-12, spirited 
Muglia into the past to avoid the 
continued on page 32 ► 



Adobes Apollo No Longer 
Up in AIR as Runtime Debuts 



BY DAVID RUBINSTEIN 

To take advantage of the reach 
of the browser, but to get 
beyond its limitations, Adobe 
Systems in mid-June released 
the first public beta of a new 
desktop client runtime. It also 
unveiled a beta of the Flex 3 
development environment, with 
the first steps taken toward tak- 
ing the project open source. 

Adobe Integrated Runtime 
(AIR) is the formal name given 
to the Apollo runtime project, 
and it now has transparent 
HTML support — meaning de- 
velopers can move beyond the 
browser chrome to create a cus- 



tom look-and-feel for Web 
applications. It also now works 
with AJAX, has the ability to 
work with multiple windows, 
and possesses drag-and-drop 
capability. SQLite is now part of 
the runtime, so data can be 
cached locally. 

"Web applications have gravi- 
tated to the browser for two 
advantages — they have reach, 
and they are more approachable 
to a broader developer base," 
said AIR senior product manager 
Mike Downey. But [rich Internet 
applications] are limited running 
inside a browser. So, how do you 
continued on page 23 ► 
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Leopard Prowls at Apple Confab 

Developers get previews of OS update, new Safari ports and iPhone 



BY P.J. CONNOLLY 

Apple's Worldwide Developers 
Conference kicked off in San 
Francisco on June 11 with the 
traditional Steve Jobs keynote, 
and more than 5,000 people 
attending the show at the 
Moscone West exhibition hall. 

The address included pre- 
views of the iPhone, which was 
expected to ship in late June, 
and the Mac OS X 10.5 "Leop- 
ard" release, which is due in 
October. Developers took 
home a feature-complete beta 
version of the operating system 
and the accompanying Xcode 3 
developer tools. Jobs also 
unveiled beta versions of the 
Safari browser for both Mac 
OS X and Windows users; both 
are due to ship in the same 
time frame as Leopard. 

The company also clarified 
its position on third-party 
applications for the iPhone: 
Web -only, thank you very 
much, sums it up. Developers 
will have to design their appli- 
cations around Web 2.0 ser- 
vices, because the device will 
not allow the installation of 
outside application code, in 
hopes of ensuring both securi- 
ty and stability, Jobs noted. 



The keynote audience was 
reported to have taken this 
announcement with a groan, 
although the approach does 
offer the advantage of simpli- 
fied software deployment. 

The Safari 3 update is 
claimed by Apple to render 
Web pages twice as fast as 
Microsoft's Internet Explorer 7, 
and 60 percent faster than 
Mozilla Firefox 2, based on 
tests performed with iBench. 
The beta version of Safari 3 is 
available now for download, 
and runs Windows XP or later, 
as well as Mac OS X 10.4.9 
"Tiger" and later. 

The Leopard preview 
focused on end-user features, 
including file sharing and GUI 
enhancements, updates to the 
iChat instant messaging and 
Mail applications, and the 
Time Machine backup and 
restore features. But Jobs also 
pointed to Leopard's full native 
64-bit support that allows 64- 
bit applications to run along- 
side existing 32-bit Mac OS X 
applications, and he highlight- 
ed the forthcoming release's 
multicore optimization and 
scheduling features. 

The server version of Leop- 




Mac OS X 10.5 'Leopard/ due in October, offers a number of user interface enhancements, including more transparency 
for Finder objects, a three-dimensional Dock, and Stacks, which allow flexible document organization. 



ard will include new tools such 
as a CalDAV-based iCal Server 
that provides calendar infor- 
mation via WebDAV, Podcast 
Producer for publishing pod- 
casts to blogs or iTunes, and a 
wiki server. 

The new Mac OS X release 
will also offer an update to the 
Xcode development tools, 



including a new editor, simpler 
debugging and support for 
Objective-C 2.0. The new 
Interface Builder will enable 
developers to add advanced 
animation effects to applica- 
tions, while the DashCode tool 
will let users create Dashboard 
widgets without writing any 
code. Developers using Leop- 



ard will also have access to the 
new Dtrace-based Xray appli- 
cation optimizer. 

Jobs also announced that 
Apple's developer network 
had grown by 200,000 in the 
past year; at the latest count, 
the Apple Developer Connec- 
tion membership is up to 
950,000. I 



Automating the Virtual Testing Lab for Fun and Profit 

Virtualization gives QA staff the next best thing to production systems 



BY P.J. CONNOLLY 

Virtualization technology has 
been in use for a while, at first 
on the mainframe in the data 
center, and gradually becoming 
useful on the commodity 
servers in the racks. 

Thanks in no small part to 




Virtualization gets users close to 
production, says Yoke's Lanowitz. 



the rapid evolution and accep- 
tance of EMC's VMware plat- 
form, developers and testers 
have found virtualization useful 
in stretching their lists of usable 
platforms, by allowing them to 
test against system images from 
different operating system con- 
figurations that would be cost- 
prohibitive to manually install 
and configure. 

But the next step in using 
virtualization as a development 
and testing tool is automating 
its use in the lab. Theresa 
Lanowitz, founder of analyst 
firm Voke, recently discussed 
her firm's Market Snapshot 
report on virtual lab automa- 
tion, released earlier this year. 

Lanowitz began by explain- 
ing that although server consol- 
idation has been the big sell for 
virtualization, there is a much 
broader role for it in the enter- 
prise. She said pressures for 
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According to research by analyst firm Voke, just over half (51 percent) of 
those surveyed responded that they were able to reduce lab provisioning 
time by two days or more. 



improved software quality and 
lower time-to-market, as well as 
the increasingly outsourced 
nature of today's IT landscape, 
are causing developers and 
testers to consider virtualization 
as plumbing, instead of as a 



novelty. Virtual lab automation, 
she noted, "gives to the quality 
assurance person, the test per- 
son... the ability to have an 
environment as close to pro- 
duction as possible." 

For companies that had 



made any serious effort to 
provide testing facilities to 
those people, Lanowitz noted, 
"it was really time-constrain- 
ing and resource-intensive 
from a monetary perspective 
to be able to maintain those 
labs. And in some cases, they 
said, This is just too much for 
us to do.'" 

Lanowitz observed that a sit- 
uation with three environ- 
ments — the developer environ- 
ment, the test environment and 
ultimately the production envi- 
ronment — leads only to unnec- 
essary finger-pointing and 
harsh words between people 
who often work for the same IT 
organization. 

"What virtual lab automa- 
tion really brings to the game is 
that the tester can take a virtu- 
alized image of the production 
environment," she said, adding 
continued on page 28 ► 
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Outrunning the Bears 

ln-house hackers help Web sites stay steps ahead 
by finding vulnerabilities before they are exploited 



BY JEFF FEINMAN 

The term "hackers" does not 
merely represent the villains that 
break into Web sites to do mali- 
cious things and steal important 
information. There are the white 
knights of the hacker society as 
well, scanning Web sites and 
conducting penetration tests to 
find vulnerabilities. Ethical 
hacking has become a security 
tool, as organizations seek out 
their vulnerabilities before the 
wrong sets of eyes find them. 

BUGS FOR SALE 

A developer for the open source 
Metasploit project, a computer 
security project that provides 
help and tooling for penetration 
testing, said that hackers are 
starting to sell the vulnerabilities 
they find because bugs are get- 
ting harder to find. The develop- 
er, who asked to be referred to 
only as Pusscat, said sale prices 
depend on what the bug is. 

Pusscat and other develop- 
ers contribute exploit code to 
Metasploit on an ad hoc basis. 
Exploit code is code that takes 
advantage of a software vulner- 
ability to subvert some security 
mechanism, most usually to 
execute arbitrary code on the 
system within the context of 
that process. 

"There's a lot of time and 
effort that goes into finding 
[vulnerabilities], and even more 
that goes into exploiting them," 
Pusscat said. "It's basically free 
work you're giving the company 
if you disclose the bug. The 
ones that get disclosed are usu- 
ally disclosed by people who 
think they have more going for 
them in name recognition than 
in selling the bug." 

Pusscat also said that hackers 
can achieve a great deal of fame 
and a stronger resume if they 
release vulnerabilities publicly. 

Both Pusscat and Scott 



Laliberte, director of security 
assessments for Protiviti, a 
provider of audit and technolo- 
gy risk consulting services, said 
most hackers follow the unwrit- 
ten rule of responsible disclo- 
sure, which calls for informing 
the company and giving them 
the information you have on the 
vulnerability, while the compa- 
ny in turn gives a timeline for 
fixing the patch. 

Sometimes the researcher 
and the company can negotiate 
an acceptable time line, with the 
researcher vowing to keep it qui- 
et until that date, and the com- 
pany crediting the researcher for 
finding it, according to Pusscat. 

Laliberte told SD Times 
that most vulnerabilities are 
found in Web applications, 
including buffer overflows, cross- 
site scripting, SQL injections, 
and on occasion, missing patches. 
"We've done pen' tests, where 
basically we'll replicate a VPN 
[virtual private network] server, 
and sometimes the log-on page is 
susceptible to cross-site script- 
ing," he said. "We can use that to 
craft an e-mail to try to get folks 
to reset their VPN passwords." 

Laliberte said he uses a vari- 
ety of tools, including Meta- 
sploit, the free security scanner 
Nmap, SPI Dynamics' applica- 
tion security assessment tool 
Weblnspect, and Application 
Security's AppDetective, which 
assesses the security of databases. 
Laliberte also uses freeware 
tools, which are put through an 
internal certification process to 
ensure they are free of Trojan 
code and viruses. For good pen- 
etration testing, Laliberte said, 
one needs a good port scanner 
and the ability to write exploits. 
A good vulnerability scanner can 
help a penetration test in viewing 
most of a Web site very quickly, 
but the scanner is often picked 
up by today's network-based 



intrusion detection systems. 

Jeremiah Grossman, founder 
and CTO of Web security 
provider WhiteHat Security, said 
that in-house hackers are getting 
better at finding vulnerabilities 
on Web sites. On top of that, new 
technologies such as Microsoft 
ASP.NET are more secure than 
previous ones, Grossman said. 
The result is that fewer vulnera- 
bilities are making it into pro- 
duction applications. 

"It's best if a company gets 
the data ahead of [an attack]. 
Their site is going to be attacked 
whether they like it or not, so it's 
best if they know about vulnera- 
bilities before the bad guys 
come along," Grossman said. 

'SHOCK VALUE' 

Penetration testing and ethical 
hacking may sound like a great 
way to detect vulnerabilities in 
theory, but how can someone 
with good intentions try to act 
and think like someone with 
bad ones? 

"It has its place," Laliberte 
said. "I think pen tests are good 
for organizations that need the 
shock value. Replicating what a 
real-time attacker may do can 
carry a lot of shock value. It 
also tests response capability, 
enabling you to see how well 
people in an organization can 
detect an attack and respond." 

Laliberte also said vulnerabil- 
ity assessment can be a good first 
step for less mature organiza- 
tions, as it gives them some good 
knowledge of security vulnera- 
bilities to watch for as they grow. 

"What you're really trying to 
do is make it so difficult for the 
bad guy, that they're more will- 
ing to target the next Web site," 
Grossman said. "I think the bear- 
in-the-woods analogy applies to 
hacking as well: To outrun a 
bear, you have to outrun your 
friend.' " I 
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NEW PRODUCTS, 



Pegasystems has launched an exchange for the sharing of BPM and 
SOA-focused components and content. The Pega Exchange is intend- 
ed to provide more than reference diagrams and sample code; found- 
ing participants in the exchange include Cognizant, Crosscheck Net- 
works, HostBridge, Panorama Software, PrintSoft and Satyam 
Computer Services . . . Microsoft made the Visual Studio Team Foun- 
dation Server- Project Server 2007 Connector (PS-TFS Connector) 
available on CodePlex, its open-source software hosting site, in June. 
Future versions of Team System will offer built-in integration with Pro- 
ject Server . . . AtTask, a provider of on-demand project and portfolio 
management software, has released a SOAP API suite complete with 
a software development kit and a ready-made API for Microsoft Out- 
look. This allows organizations to update assigned tasks and jump to 
projects in AtTask from within Outlook. 



UPDATES 



AmberPoint, a provider of SOA runtime governance solutions, has 
released version 6 of AmberPoint SOA Management System and 
AmberPoint SOA Validation System. Both of the new products lever- 
age Adobe Flex and AJAX, while the new version of the AmberPoint 
SOA Validation System now uses complete transaction flows to detect 
potential runtime anomalies . . . Kapow Technologies has released 
two new editions of the Kapow Mashup Server family. First is a Web 
2.0 edition of its server, which allows the development of data-centric 
mashups on lightweight RSS feeds and REST services. The company 
also released the Content Migration Edition, which collects and 
converts source content in an automated way . . . After a seven-month 
beta program, Reportive unveiled the latest version of its namesake 
tools for building analytic and reporting applications. Reportive V8 
offers a new analytics engine and refreshed compression and memory 
optimization technigues . . . Australian defect-tracking software 
designer Jackal Software has released BugAware 5.0, offering 
new template-based multilanguage functionality. Danish and French 
are supported as well as English, and a German translation will be 
available shortly. BugAware 5.0 includes a new Web-based user inter- 
face that is team-focused and an external access system that 
allows clients to submit issues without reguiring them to sign in to 
BugAware . . . Forte Design Systems has released version 3.3 of the 
Cynthesizer analysis tools that allow a direct translation from the 
SystemC description language to the GDSII database for exchanging 
IC layout information. The new version adds a graphical analysis 
environment, the Cynthesizer Workbench and design scheduling 
improvements, and marks the release of the company's CynWare Sys- 
temC design library . . . MontaVista Software has announced that 
MontaVista Linux Professional Edition is now supported on the 
Freescale Semiconductor MPC8349E-mlTXE processor, of the Pow- 
erQUICC II Pro family . . . Sapphire Steel Software has released 
version 1.1 of Ruby In Steel Developer, a Ruby on Rails IDE for Visual 
Studio 2005. The new version includes the Cylon debugger along with 
syntax coloring and code folding for Ruby code and RHTML templates 
. . . Ounce Labs has released version 5.0 of the Ounce security 
analysis engine, now featuring compliance with the Payment Card 
Industry (PCI) standard, along with the Open Web Application Securi- 
ty Project (OWASP) . . . Electric Cloud has added software build and 
release management analytics to its product family, made up of build 
automation tool ElectricCommander, the parallel build solution Elec- 
tric Accelerator and the build reporting tool Electriclnsight. 



PEOPLE 



Tableau Software, a provider of visual analysis software, has 
announced that company co-founder and CTO Pat Hanrahan was 
elected to the 2007 Class of Fellows by the American Academy of Arts 
and Sciences. The academy, which was founded in 1780 by a group that 
included John and Samuel Adams, James Bowdoin and John Hancock, 
is dedicated to "cultivating arts and sciences which may tend to 
advance the interest, honour, dignity, and happiness of a free, inde- 
pendent and virtuous people." I 
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IBM Jazzes Up Collaboration With Web 2.0 Interfaces 



BY ALEX HANDY 

IBM has added all that Jazz to 
new collaboration tools in its 
Rational application life -cycle 
product lines. 

At the company's 10th Ratio- 
nal Software Development Con- 
ference in Orlando, Fla., in early 
June, IBM announced the addi- 
tion of new Web-based inter- 
faces for Rational ClearCase, 
Rational ClearQuest and a num- 
ber of other products, and 
issued the beta release of the 
first Jazz-based Rational prod- 
uct, Team Concert. 

The Rational line was also 
expanded with the addition of a 
new repository, IBM Rational 
Asset Manager, which tracks soft- 
ware assets and allows users to 
rate and comment on each item. 

Scott Hebner, IBM's vice 
president of marketing and strat- 
egy, used an analogy to describe 
the new repository: "If you want- 
ed to get Chinese food, you look 
at a menu and consume info 
about that restaurant. This is 
more if you wanted to start your 
own Chinese restaurant." 

The IBM Rational Asset 
Manager, Hebner continued, 
allows developers to aggregate 
all those figurative food recipes, 
and to append their comments 
and ratings to them, and thus a 
collaboratively developed inter- 
nal software menu is formed. 
The new repository includes an 
Eclipse plug-in that allows 
developers to interact with 
stored software assets without 
leaving their IDE, said Hebner. 

The Rational product team 
spent the past year preparing for 
the introduction of Jazz, IBM's 
Eclipse-based collaborative work 
environment and framework. 
The work that remains, Hebner 
noted, will now take place in the 
open. 

WELCOME TO JAZZ.NET 

At the conference, IBM opened 
the doors to www.jazz.net, a Web 
site that will be dedicated to 
building the Jazz community, 
and which Hebner pointed to as 
the future home for all of the 
development work done on the 
Jazz framework and platform. 
Developers will be able to test- 
drive the software, as well as 
contribute their ideas for fea- 
tures and additions. 

The first member of the Jazz 
ensemble is already in the wings. 
A beta of IBM Rational Team 
Concert was released during the 



conference, and can be down- 
loaded from Jazz.net. Rational 
Team Concert is a "real-time col- 
laborative portal for software 
developers to improve their 
innovation and productivity," 



claimed Hebner. "It's a flexible, 
low-footprint application life- 
cycle management platform for 
development teams." 

Other products in the Ratio- 
nal lineup were updated with 



new Web 2.0 interfaces, Hebner 
noted, including IBM Rational 
Method Composer 7.2, Rational 
Portfolio Manager 7.1, and ver- 
sion 7.01 releases of Rational 
ClearCase, ClearQuest, Build 



Forge and Requisite Pro. Heb- 
ner said that the Web interface 
improvements were specifically 
targeted at development teams 
that are distributed, outsourced 
or in different time zones. I 
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PowerBuilder 1 1 Adds .NET Deployment 



Sybase Data Window tool now works with Web services, MySQL 

BY ALEX HANDY PowerBuilder 11 hit the streets world. While previous editions version of PowerBuilder to 

Sybase is building more power for the first time in mid- June, of the software have offered allow direct compilation for the 

into its database application and the new version brings the built-in compatibility with the Microsoft framework. In addi- 

development environment. tool completely into the .NET .NET platform, this is the first tion, this version brings new 
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support for third-party data- 
bases and for the consumption 
of Web services. 

Dimitri Volkmann, Sybase's 
director of tools product man- 
agement, said that Power- 
Builder 11 is the first edition of 
the tool to support all major 
databases, including Microsoft 
SQL Server, MySQL, Oracle 
and PostgreSQL. In addition, 
the ability to integrate Web ser- 
vices into PowerBuilder appli- 
cations, he said, should bring a 
host of new skill sets to Sybase's 
user community 

Volkmann hopes that the 
abstraction of the data layer in 
applications built with Power- 
Builder will tempt existing 
Visual Studio users away from 
Microsoft's IDE. He explained 
that much of the work in build- 
ing a database-centric applica- 
tion involves writing queries 
and database presentation log- 
ic, all of which can be automat- 
ed in PowerBuilder. 

Sybase PowerBuilder 11 is 
available for US$2,995 per user, 
or $1,495 for those upgrading 
from previous versions. 

For .NET developers, 
PowerBuilder 11 will allow the 
deployment of constructed 
database-centric applications to 
either the desktop or the Web, 
through .NET's various form 
types. Developers seeking to 
deploy on top of ASP.NET can 
push their compiled applica- 
tions out to Web Forms, noted 
Volkmann. 

PowerBuilder was originally 
created in 1991 by a team head- 
ed by David Litwack. In its day, 
this rapid application develop- 
ment environment was one of 
the first such programming tools 
to feature a visual editor. Subse- 
quently, it grew into one of the 
most successful development 
tools of the early 1990s. The tool 
spurred its creator, PowerSoft, 
to go public two years later. 

In 1995, Sybase purchased 
PowerSoft for a hair under US$1 
billion in Sybase stock. The deal 
soon soured as the market for 
visual application development 
was taken away by Visual Basic 
and Borland's Delphi. I 
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Searching for Themes Behind Research 

Google, Yahoo: Different corporate cultures mean different approaches to science 



BY GEOFF KOCH 

It's no surprise that search lead- 
ers Google and Yahoo are 
crawling with Ph.D. degrees. 
Beyond the legions of overedu- 
cated engineers who work to 
optimize search functionality, 
both companies have visible 
research organizations that 
boast rosters of top-flight acad- 
emics. And despite their corpo- 
rate affiliations, these professor 
types continue to crank out 
peer-reviewed conference pre- 
sentations and journal articles. 

Yet even though this sort of 
intellectual output is clearly val- 
ued at both companies, impor- 
tant differences exist when it 
comes to the approach to 
research. True to form, Google 
appears to be more anarchic 
and algorithm-driven, while 
Yahoo, which makes more of an 
effort to position and sell its 
research team as a hub of 
industry innovation, seems 
more focused on community. 

Peter Norvig is the director 
of research at Google, where he 
has worked since 2001. A 
NASA veteran whose code flew 
on the Deep Space 1 and Mars 
Exploration Rovers, Norvig is 
now preoccupied by more ter- 
restrial concerns — though he is 
also the man behind Google 
Mars. Ticking off Google's 
research interests, Norvig cites 
a range of activity, from work on 
the core search and advertising 
business to more novel pur- 
suits, such as speech recogni- 
tion and accessibility for visual- 
ly impaired Web surfers. But 
good luck squeezing a priori- 
tized list of research out of him. 

"We don't think of things 
that way; we don't have as much 
internal structure, so we don't 
show it that way externally," said 
Norvig. "If you ask the average 
Google employees, 'Where are 
you on the org chart?' they don't 
really know. What they know is, 
T'm working on these projects 
with these four other guys. 
That's really where I fit.' " 

This decentralized and 
somewhat freewheeling style is 
on full display at the official 
Google research blog, one of 
the more prominent public 
faces of the company's research 
activities. With a Google-typical 
ultra-spare design and postings 
that appear at wildly infrequent 
intervals, the blog appears to be 




The Internet 'will be less about what you're 

doing with the screen than what you're 

doing with 1 billion other humans. ' 

—Prabhakar Raghavan, head of Yahoo Research 



a collective afterthought. 

Blog topics include calls to 
attend Google-sponsored con- 
ferences; archived lists of videos 
of interesting lectures at Google, 
including one delivered by 
Daniel Wilson, sci-fi author, and 
another by James Watson, Nobel 
laureate; and links, for those 
working on topics like machine 
translation, to various subgroup- 
ings of the 1 trillion words that 
have been culled from public 
Web sites by Google. For the 
record, the four-word phrase 
"serve as the inspiration" appears 
10 times more often than "serve 
as the installation." 

PARC AS ROLE MODEL 

In contrast to the Google blog, 
the landing page for Yahoo 
Research looks like, well, a 
grown-up Web site of a Fortune 
500 company. There's clear evi- 
dence of an eye to branding, 
design and layout, a more regu- 
lar drumbeat of news and 
announcements and, just one 
click away, a clear statement of 
the Yahoo Research focus 
areas — search, machine learn- 
ing, microeconomics, media 
experience research and com- 
munity systems. 

"We want to build some- 
thing with the industry influ- 
ence of Xerox PARC, which 
gave us the modern scientific 
field of human computer inter- 
action," said Prabhakar Ragha- 
van, head of Yahoo Research. 
"We aspire to be equally ambi- 
tious, but at Yahoo, we're much 
more concerned with the 
human-to-human interface." 

Raghavan said that PARC 
was so productive — Xerox's 
West Coast lab arguably is the 



source of the PC, the graphical 
user interface and the comput- 
er mouse, and a host of other 
inventions — because it had an 
eclectic mix of social scientists 
who commingled with comput- 
er scientists and engineers. It's 
a model Raghavan is trying to 
follow at Yahoo Research, 
which in May announced it was 
expanding its roster of social 
science researchers by hiring 
Cal Tech economist R. Preston 
McAfee and Columbia sociolo- 
gist Duncan Watts. 

Why would a social scientist 
flee the university for Yahoo? 
Raghavan doesn't mention 
salaries, though these almost 
surely trump academic pay 
scales by a wide margin. Rather, 
he talks about the ability to 
watch and analyze the Web- 
facilitated interactions of hun- 
dreds of millions of people. 

"You get to be intensely 
data-driven and do experimen- 
tal design on a scale you've nev- 
er done before," he said. "I 
believe the social sciences are 



due for a revolution because of 
the scale that we can offer." 

MACHINE TRANSLATION 

Dealing with scale is front and 
center at Google as well, and 
indeed much of the research 
that Norvig said he is most 
proud of has to do with using 
engineering brawn to make 
sense of large amounts of data. 

In an effort to unlock the 
increasingly polyglot Web, the 
company continues to invest in 
machine translation. For a sec- 
ond straight year, Google scored 
at or near the top in several cat- 
egories in the NIST 2006 
machine translation evaluation. 

In addition, Google-authored 
papers on MapReduce, a pro- 
gramming model for processing 
terabyte-sized data sets, and the 
Google File System distributed 
file storage system are "key ref- 
erence papers now," said Norvig. 

Yahoo can stake its own claim 
on research influence, though 
more in the realm of audiences 
than algorithms. In an article 




published earlier this year in the 
American Economic Review, 
senior research scientist Michael 
Schwartz offers what may be the 
best analysis to date of the auc- 
tion pricing mechanism used by 
Google and Yahoo to sell online 
advertising. Schwartz, who 
worked at Harvard, Stanford 
and Berkeley before joining 
Yahoo, describes many facets of 
the auctions, including why 
advertisers don't have the incen- 
tive to make truthful bids. 

Schwartz's analysis was so 
good that when it started circu- 
lating in academic circles more 
than a year ago, it was enough 
to cause the famously close- 
lipped Google to start describ- 
ing more of the details of its 
AdWords system. 

At least for now, Yahoo's 
research operation, particularly 
when it comes to the interface 
between social and computer sci- 
ences, appears to be more robust 
than Google's. But it's reasonable 
to wonder whether this at all 
bothers Google, which continues 
to clobber Yahoo when it comes 
to market share and revenue. 

Still, for now Raghavan 
seems sanguine with Yahoo's 
emphasis on community and 
person-to-person connectivity. 

"While the Internet is tech- 
nology for you and me, for the 
next generation it's an appliance 
like electricity," he said. "It will 
be less about what you're doing 
with the screen than what you're 
doing with 1 billion other 
humans. Which is why we're 
continuing to make it easier for 
people to get together and find 
reasons to hang out with us; the 
device inevitably will fade to 
background." I 
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'If you ask the average Google employees, 
"Where are you on the org chart?" they 
don't really know. What they know is, "I'm working 
on these projects with these four other guys 

—Peter Norvig , director of research at Google 
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Vendors Bask in the Tech-Ed Spotlight 



The space shuttle is 
not the only thing 
to launch in Florida 

BY DAVID WORTHINGTON 

ORLANDO, FLA. — Developer tools, 
SharePoint enhancements and new tools 
for Microsoft SQL Server were among 
the new and updated products show- 
cased by vendors during the Tech-Ed 
conference held here June 4 to 8. 

Interface21, custodian of the Spring 
framework, an open source Java EE 
application framework, announced 
Spring.NET 1.1 at Tech-Ed on June 5. 
The .NET edition of the framework car- 
ries over Springs architectural concepts 
and patterns while adding .NET- specific 
features, with consistency, portability and 
testability. Its new features include sup- 
port for the ADO.NET data access 
framework, ASP.NET and ASP.NET 
AJAX integration, custom name spaces, 
declarative transaction management, 
NHibernate integration, Portable Service 
Abstraction and the NUnit testing tool. 

Parasoft announced .TEST 4.0, with 
new static analysis technology. Bug 
Detective uses several analysis tech- 
niques, including application execution 
path simulation, to identify paths that 
could trigger runtime defects. Rami 
Jaamour, product manager for SOA 
Solution at Parasoft, explained that this 
technique is beneficial because it high- 
lights software errors that may evade 
coding analysis and unit testing. The 
.TEST update also includes a new Code 
Review module that facilitates collabora- 
tive code reviews by managing distribu- 
tion lists and groupings for review notifi- 
cations and routings. 

As the number of cores on a proces- 
sor continues to double, developers face 
the challenge of understanding the 
underlying hardware architecture and 
parallel programming techniques, in 
addition to knowing how to create appli- 
cations that scale with the number of 
cores. RapidMind's development plat- 
form provides a level of abstraction 
between IDEs — including Eclipse and 
Microsoft Visual Studio — and multicore 
processors. At Tech-Ed, it shared its 
strategy to keep its product current by 
aggressively updating its CPU and GPU 
support modules. RapidMind CEO and 
president Ray DePaul explained that 
RapidMind is an alternative to vendor 
tools and SDKs, which may lock devel- 
opers into a specific hardware platform. 

When the developers and QA engi- 
neers complete their work, packaging 
begins. Indigo Rose unveiled Setup 
Factory for Windows Installer, a visual 
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Colligo for SharePoint synchronizes SharePoint with Microsoft Office Outlook. 



setup builder based on Windows 
Installer XML (WiX) that developers can 
use to create MSI-formatted installer 
packages. WiX is a tool set for building 
Windows installation packages from 
XML and is an open source project on 
SourceForge.net. 

SHAREPOINT: A COTTAGE INDUSTRY 

At Tech-Ed, it was clear that a partner 
ecosystem is forming around Microsoft's 
SharePoint portal solution. Microsoft 
has not yet endowed SharePoint with 
offline components to integrate with 
Office Outlook or grouping and permis- 
sion management capabilities, so others 
are stepping up to the plate. 

Colligo for SharePoint 2.1 provides 
two-way synchronization between Share- 
Point 2007 document libraries and Out- 
look folders. Its .NET client applications 
also allow users to apply custom metada- 
ta to files, to drag and drop e-mails and 
attachments, and to set up Outlook rules 
to copy e-mails to SharePoint. Brent 
Bolleman, Colligo Networks' chief 
strategy officer and founder, said that 
Colligo was a good fit for mobile users 
because of its synchronicity 

Securent revealed its aptly named 
Entitlement Management Solution for 
SharePoint, an add-on that addresses 
enterprise security and compliance con- 
cerns. Likewise, ScriptLogic revealed a 
similar product called Security Explorer 
for SharePoint. Both products create 
and enforce access control policies that 
can be configured and audited by 
administrators to meet enterprise securi- 
ty and compliance mandates. 

ScriptLogic's Nick Cavalancia, vice 
president of marketing, said that Share- 
Point's native security model was imped- 
ing its adoption in the enterprise and 



that solutions such as Security Explorer 
were necessary for large organizations to 
consider SharePoint. 

QUEST PLANS FOR NOW, FUTURE 

Meanwhile, Quest Software released a 
flurry of products to build out SQL Serv- 
er 2005's management capabilities. One 
new product, Change Director for SQL 
Server, was introduced, along with 
updates to Quest Performance Analysis 
for SQL Server and Quest Toad for SQL 
Server. Change Director permits data- 
base administrators to script and migrate 
database schema changes, while assess- 
ing the impact of those changes. Perfor- 
mance Analysis 6.0's memory sampling 
technology proactively tracks locking 
and blocking issues. New IntelliProfile 
technology monitors databases, to estab- 
lish the baseline behavior of a system. 

Toad 3.0, a database development 
and administration tool, now includes 
SQL server job management, logs all 
executed SQL code and has server-side 
filtering. New features intended to 
enhance productivity include the ability 
to add notes to database objects, edit 
duplicate table data, and export data 
with linked queries to Microsoft Excel 
with a single click. 

Meanwhile, an update to Quest's 
LiteSpeed for SQL Server database 
backup and recovery tool adds new com- 
pression options. David Gugick, manag- 
er of product management for the SQL 
Server solutions business unit at Quest, 
commented that the company was excit- 
ed about Microsoft's SQL Server 2008 
(formerly code-named Katmai) and that 
the company was in the process of 
adding functionality to its products, posi- 
tioning itself for next year's SQL Server 
release. I 



NETADVANTAGE: SILVERLIGHT 

Infragistics is poised to release a line of 
interface development tools for 
Microsoft's forthcoming Silverlight 
platform and ASP.NET 3.5 framework. 
Prototypes of the tools were demon- 
strated at Tech-Ed. 

NetAdvantage for Silverlight will 
bundle a library of charts and gauges 
for data visualization, rich content and 
media, as well as controls for applica- 
tion development scenarios. Infragis- 
tics showed off a collection of animated 
charts, an iTunes-like video shuffler, 
and an AJAX-enhanced address book. 

Meanwhile, Aikido is the code name 
for Infragistics' upcoming ASP.NET 
control framework. Aikido was built 
using CSS and XHTML, and is inte- 
grated with Microsoft's ASP.NET AJAX 
1.0 framework. Going forward, Aikido 
will fully support ASP.NET 3.5. I 

ACTIVEBATCH 6: COMPLIANCE 

Advanced System Concepts has 
whipped up a fresh batch of automation 
with Active Batch Job Scheduler version 
6. It adds new compliance features and 
protected group access to the compa- 
ny's flagship business process automa- 
tion software. ActiveBatch 6 provides 
audit capability for tracking policy 
development and change management. 
A new feature called Virtual Root 
allows enterprise data to be protected, 
but shared. Also new is a built-in job 
library that vice president of sales and 
marketing James Manias said will 
reduce the amount of scripting neces- 
sary to design workflows. Job types are 
automatically assembled into com- 
pound job flows by the software. I 

ALTIRIS SVS: STREAMING 

Symantec believes that it has the solu- 
tion to software deployment woes: virtu- 
alizing and streaming software delivery. 
Altiris Software Virtualization Solution 
(SVS) 2.1 now has integrated applica- 
tion streaming, which virtualizes code 
on a central server and feeds it to the 
end user when a program is launched. 
Symantec turned to AppStream, a 
provider of application streaming tech- 
nologies, to build streaming capabilities 
into SVS. 

SVS is designed to make Windows 
software deployment less painful by 
compressing all program files and reg- 
istry keys into an archive. The archives 
are extracted onto local machines, 
bypassing the install process and emu- 
lating reboots. Machine-specific logic 
can be embedded into the archives 
when necessary. I 

— Compiled by David Worthington 
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GPLv3 f Apache Compatible in Final Draft 



BY ALEX HANDY 

It's been more than a year since 
the first draft of the GNU Pub- 
lic License version 3 reared its 
head. Since that time, its keep- 
ers at the Free Software Foun- 



dation (FSF) have slowly taken 
comments and adjusted the 
license to fit the needs of the 
many communities that use it. 
Now, with the release in early 
June of what it's calling the final 



draft of the license for public 
scrutiny, the FSF is nearing the 
end of its work. 

Perhaps the biggest single 
development in this draft of the 
license is the addition of wording 



that makes GPLv3 compatible 
with the Apache License Version 
2.0. In the end, the changes 
needed to make these two 
licenses compatible with each 
other were fairly trivial, accord- 
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ing to the FSF, and required the 
change of a few words and the 
addition of some clarifications 
around patent indemnification. 

Another major addition to 
this draft is a grandfathering 
date for the clauses describing 
discriminatory patent promises. 
Specifically, some of GPLv3's 
patent restrictions will apply 
only to deals made after March 
28, 2007. The reasoning behind 
this clause, which would seem- 
ingly exempt the controversial 
Microsoft/Novell deal from the 
anti-discriminatory restrictions, 
was described, if confusingly so, 
in the GPLv3 Rationale paper: 

"The main reason for this is 
tactical. We believe we can do 
more to protect the community 
by allowing Novell to use soft- 
ware under GPL version 3 than 
by forbidding it to do so.... It 
will apply, under the Microsoft/ 
Novell deal, because of the 
coupons that Microsoft has 
acquired that essentially com- 
mit it to participate in the dis- 
tribution of the Novell SLES 
GNU/Linux system. Microsoft 
is scrambling to dispose of as 
many Novell SLES coupons as 
possible prior to the adoption of 
GPLv3. Unfortunately for 
Microsoft, those coupons bear 
no expiration date, and para- 
graph 6 has no cut-off date. 
Through its ongoing distribu- 
tion of coupons, Microsoft will 
have procured the distribution 
of GPLv3-covered programs as 
soon as they are included in 
Novell SLES distributions, 
thereby extending patent 
defenses to all down-stream 
recipients of that software by 
operation of paragraph 6." 

Since Microsoft's distribution 
of coupons for SLES support — 
but not for the distribution of 
software implied by the wording 
of this explanation — also extend 
patent litigation protections to 
the recipient, the FSF maintains 
that this is a form of limited pro- 
tection rather than a broad 
patent protection, which is man- 
dated by the GPLv3. As such, 
Microsoft's limited patent pro- 
tections would be placed in a 
precarious legal state if GPLv3 
software were to mix into SLES. 

Finally, the FSF removed 
references to an American law 
relating to warranties in order 
to satisfy international users. 
Sections that extended amnesty 
to product users who circum- 
vent copyright protections con- 
tained within a GPLv3 program 
were also adjusted, for clarity. 

The FSF hopes to finish up 
work by the end of the summer. I 
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Big Blue to Buy Watchfire 



First development giant to get in the app security game 



BY JENNIFER DEJONG 

IBM has made the first move in 
the application security market, 
setting off speculation that oth- 
er software development giants 
will follow suit. 

The company last month an- 
nounced it has entered into a 
definitive agreement to acquire 
privately held Watchfire, which 
sells black-box testing tool App- 
Scan and other security offerings. 

"Up until this point, none of 
the big players has gotten into 
the application security game. 
This puts IBM there, and it is a 
good move," said Voke analyst 
Theresa Lanowitz. "Now that 
IBM has done it, maybe HP 
and Microsoft will [make simi- 
lar acquisitions]." 

IBM Rational vice president 
of business development Mike 
Loria said that the Watchfire 
acquisition will help companies 
address security issues earlier 
in the application life cycle. 
"You need to find the problems 
in the application [itself], and 
allow developers to fix them." 



Loria said IBM plans to inte- 
grate Watchfires AppScan and 
WebXM tools with the Rational 
and Tivoli product lines, as well 
as with the network security 
tools that IBM acquired when it 
bought Internet Security Sys- 
tems last year. AppScan and 
WebXM will also be available as 
standalone offerings under the 
new regime. 

AppScan finds and fixes secu- 
rity vulnerabilities by simulating 
attacks that a hacker might 
launch, and was originally devel- 
oped by Sanctum, a software 
company that Watchfire acquired 
in 2004. WebXM lets companies 
audit their Web applications to 
make sure customer data is pro- 
tected properly, ensuring compli- 
ance with government mandates 
such as HIPAA, the Health In- 
surance Portability and Account- 
ability Act of 1996. 

Financial terms of the acqui- 
sition, expected to close in the 
third quarter of 2007, were not 
disclosed. Watchfire CTO Mike 
Weider said that all of the com- 




J lf [the other big players] 
want to remain competitive 
with us, they will look at how 
to respond in kind/ 



pany's senior executives are 
expected to move over to IBM, 
as will the majority of the com- 
pany's employees. The exact 
role Weider will assume at IBM 
has not yet been determined, 
nor has that of Watchfire CEO 
Peter McKay. 

'CATCH-22 SITUATION' 

In buying Watchfire and inte- 
grating its tools with its Rational 
development platform, IBM 
will take a leading role in proac- 
tive application security by 
spreading the word on why its 
essential to address security 
concerns early in the application 
life cycle, instead of simply rely- 
ing on firewalls that aim to block 
intruders at the network door, 



— Mike Loria, VP of 
business development IBM Rational 

said Lanowitz. "It's really been a 
Catch-22 situation," she said. 
The application security tool 
makers have worked hard to 
raise awareness around this 
issue, but without the direct 
backing of the big players, mak- 
ing significant inroads has been 
difficult, she said. 

The industry has failed to 
take a firm stand around secure 
development, added Aberdeen 
analyst Carol Baroudi. "We have 
been remiss, but it's time to hun- 
ker down around application 
security." 

Lanowitz said she is sur- 
prised it has taken so long for a 
big player such as IBM to make 
an application security acquisi- 
tion, but she cited a couple of 



contributing factors. "First, cus- 
tomers aren't raising the issue: 
Neither CIOs or line-of-busi- 
ness executives are demanding 
application security tools." Sec- 
ond, she believes that the appli- 
cation security firms' valuations 
are likely to be too high. "That's 
why [potential buyers] were 
waiting," she speculated. 

In addition to Watchfire, the 
application security market is 
composed of small, privately held 
firms, such as Cenzic, Fortify, 
Ounce Labs and SPI Dynamics. 
They sell black-box testing tools 
and source code scanners, which 
pinpoint security flaws. Several 
companies, including Watchfire, 
have said recently that sales have 
grown in the past year. But Yan- 
kee Group analyst Andrew 
Jaquith estimated that the entire 
market for code assurance is less 
than US$30 million in size, as 
reported earlier by SD Times. 

It's interesting that IBM 
jumped in first, Lanowitz said of 
the planned Watchfire acquisi- 
tion. "They usually wait." 

But this time IBM has taken 
the lead over competitors, said 
company executive Loria. "If 
they want to remain competitive 
with us, they will look at how to 
respond in kind." I 
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Analysts Predict 
Open Source Boom 

Companies offering support, services 
can make business out of free code 



BY ALEX HANDY 

Service and support have become the 
backbone of many large software com- 
panies. But for enterprises that build 
their applications on top of open source 
projects, the idea of purchasing service- 
level agreements (SLAs) for support of 
those projects has only recently become 
viable. Every month, new companies 
spring up to offer brainpower-on- 
demand to enterprises that rely on open 
source. After all, said one analyst, you 
can't get an SLA from a community. 

Michael Goulde, an analyst with For- 
rester Research, said that enterprises 
really don't care too much about the 
business model behind the open source 
companies they deal with; they simply 
want accountability. "Accountability 
means someone they can go to with a 
service-level agreement that can provide 
them with break-fix support," he said. 

Mark Driver, Gartner's vice president 
of research, said that while communities 
can make or break an open source pro- 
ject, they can't cater to the needs of the 
enterprise. "I don't want to discount the 
importance of community, but commu- 
nity doesn't come with an SLA." 

Bernard Golden, author of the book 
"Succeeding With Open Source," said 
that SLAs aren't the only draw for big 
companies to sign up for open source 
support contracts. One attraction is sim- 
ple version control. "You'll say, 'We're 
using a bunch of open source software, 
and we're not really sure what versions 
we've got.' You can try and home-grow 
your own solution, which is, I think, fair- 
ly challenging. Or you can go out and 
say, 'How can I solve this problem by 
spending money?'" said Golden. "It's 
the latter that really makes sense." 

As a result, Driver sees a niche in the 
marketplace that he said is being filled 
by the dozens of new service and sup- 
port companies that have sprung up 
around open source projects. Compa- 
nies such as MuleSource, MySQL and 
OpenLogic are able to give enterprises 
the needed confidence in open source, 
said Driver. As a result, Driver predicted 
that the next five years could see an 
explosion of new providers arriving to 
offer some much-needed handholding 
to corporate developers. 

According to Driver, corporations fall 
into two categories when it comes to 
open source: those on the left of the tech- 
nology adoption bell curve, and those on 
the right. Although some superficial par- 
allels with the political counterparts exist, 



those on the right are the ones that Dri- 
ver predicts will spur the growth of open 
source service and support. 

"We are now seeing open source 
adopters aggressively looking at open 
source from the right-hand side of the 
bell curve — these are the much more 
conservative adopters," said Driver. "On 
the left-hand side, you meet people 
ready to take a higher risk for greater 
reward. People on the right-hand side 
don't think that way. They worry about 
cost first, then risk, then competitive 
flexibility." 

Despite his predictions of big rock 
candy mountains and licorice bridges for 
open source service and support compa- 
nies, Driver did point out that there are 
still some trolls under those bridges. He 
said that he expects this new segment of 
the software industry to behave similarly 
to its neighbors: The field will flood with 
entrepreneurs and will eventually be 
flushed out by a surge of consolidation. 
But the real threat, claimed Driver, isn't 
acquisitions; it's patent litigation. 

HERE COMES THE JUDGE 

"Part of the problem we have with open 
source in general is that there's not a lot 
of case law on the books," said Driver. 
"We need more precedent. If precedent 
is there, good or bad, lawyers can work 
with it. The few court cases we've seen 
have been settled out of court. Over 
time we will see more lawsuits. You sue 
where the money is. Open source will 
become a victim of its own success." 
While Driver predicted more litigation 
would come, he stated that these forth- 
coming cases could actually be a good 
thing for open source as a whole. 

Forrester's Goulde also predicted 
some hardships for open source service 
and support companies. "It's so easy to 
be very competitive; there's not a lot of 
proprietary content here. You're not 
going to make a big killing here. No one 
can corner the market on Apache Web 
server support," said Goulde. "It's a good 
deal for customers." 

Goulde added that open source is 
currently more of a buzzword than it is a 
business strategy to the current crop of 
competitors. "I don't think that main- 
taining your primary identity as an open 
source company is the future. I think 
almost all companies will have varying 
degrees of open source in their strategy," 
said Goulde. "Being an open source 
company will become a descriptive term 
for almost all software companies." I 
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The new WSDLGen utility allows developers to feed in WSDL contracts and get complete C++ 
and Java applications in return. 

lona Lets Loose 
An Artix Avalanche 

Data services, governance and other 
features added to SOA suite 



BY P.J. CONNOLLY 

Although global warming may be shrink- 
ing the Arctics polar ice caps, lona 
Technologies' Artix just keeps growing. 
Last month the company announced 
several upgrades to the SOA infrastruc- 
ture suite, and the introduction of Artix 
Data Services for data transformation. 
The new features of Artix focus on 
developer productivity, flexibility in 
deployment, and performance improve- 
ments. 

The Artix update was designed to 
take advantage of the governance fea- 
tures in Artix Registry/Repository, which 
debuted in March. Artix Registry/ 
Repository provides a service manifest 
for distributed service-oriented archi- 
tecture environments that the company 
claims is complete and dynamic, with 
contracts, dependencies and implemen- 
tation artifacts defined in a way that 
allows for validation of policies and ser- 
vices. This lets customers approach gov- 
ernance flexibly, when compared with 
those tools that are built around a static 
archive of these constructs. 

The new Artix Data Services is 
based on technology originally devel- 
oped at C24, which lona bought in 
March. It's designed to execute data 
transformations at runtime as quickly 
as possible in large-scale, performance- 
demanding SOA environments. Artix 
Data Services includes a set of graphi- 
cal development tools that the compa- 
ny claims eliminate the need to write 
transformation code or scripts, and 
rules-based data validation features 
that contribute to ensuring data 
integrity in the environment. 

Digging into the individual updates, 



Artix ESB 5.0 is the "classic" Artix 
enterprise service bus, now beefed up 
with support for JAX-WS 2.0 and 
WSDL generation capabilities that 
allow developers to take WSDL con- 
tracts and create complete C + + and 
Java applications from them. The 
update also includes performance and 
routing improvements, according to 
the company. 

Artix Orchestration 5.0 adds support 
for the gamut of WS-BPEL 2.0 process 
constructs and semantics, and works 
with Eclipse 3.2. It also offers side-by- 
side execution of BPEL 1.1 and 2.0 
processes, and automatic migration of 
BPEL4WS 1.1 processes to WS-BPEL 
2.0 formats. 

Customers that wish to include main- 
frame-based assets in their SOAs can 
turn to Artix Mainframe, which in this 
release adds a new versioning utility, and 
allows the use of COBOL Level 88. 
Artix Mainframe now also allows user 
exceptions in CICS and IMS Web ser- 
vices that were built in Interface 
Description Language, and can also gen- 
erate unique OTMA (IMS Online 
Transaction Manager Access) T-pipe 
names, for asynchronous requests. 

There are three common themes that 
underlie these products and capabilities, 
noted Stephanos Bacon, vice president 
of product development. "We think 
about SOA as being inherently distrib- 
uted," he said. "We talk about our prod- 
uct line as enabling the development 
and deployment of a distributed SOA 
infrastructure, and we gear everything, 
from the technology side as well as on 
the business side of things, to be adopt- 
able incrementally." I 
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Solstice Integra 6 Validates Against Java EE 



EJB, Java Key Store support expand SOA testing 



BY DAVID WORTHINGTON 

A solstice occurs twice a year, 
and staying true to its name- 
sake, Solstice Software shipped 
the second release of its Integra 
suite for SOA testing this year, 
on June 29. Integra 6.0 deepens 
its Java Enterprise Edition 
(Java EE) support and expands 
test coverage within secure 
environments. 

"It can be difficult for non- 
technical testers that do not 
understand the complexities of 
SOA architecture to get their 
arms around EJB interfaces," 
said Solstice chief technology 
officer Bob Carmichael. Sol- 
stice has democratized testing 
for nondevelopers by providing 
a wizard and a graphical editor 
to construct Enterprise Java- 
Beans (EJB) test cases. 

According to Carmichael, 
traditional black-box test sce- 



narios cover only a small per- 
centage of logic. The new test 
case tools, he said, make valida- 
tion of message-based systems 
across application components 
a more seamless part of the 
development life cycle and cre- 
ate a centralized environment 
for development and QA teams. 

The Integra Test Automa- 
tion Core has platform 
libraries that provide tailored 
validation of ESB and SOA 
platforms, including a Java EE 
library. Integra 6's new capabil- 
ities are part of the updated 
Java EE library. Integra can 
now execute EJB interfaces 
(2.0 and 3.0 releases) and vali- 
date results without writing 
code, thanks to its support for 
the EJB specification. 

Integra's ability to detect 
SOA defects within secure 
environments has been ex- 



panded to work both at the 
Web-services level and the 
transport level. Carmichael 
explained that testers require 
appropriate credentials to exe- 
cute processes in secure envi- 
ronments — most commonly 
the staging environment. 

Solstice broadened its sup- 
port for key store formats and 
authentication; Integra now 
allows testers to supply cre- 
dentials as part of the test case. 
The supported formats are JKS 
(Java Key Store), PEM (Priva- 
cy Enhanced Mail) and PKCS 
12 (Personal Information 
Exchange Syntax Standard), a 
portable format for the storage 
and transport of users' private 
keys and certificates. Integra 
also accepts the digital signa- 
tures of SOAP messages. 

"This [support] eliminates a 
hurdle to creating reusable 
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Integra's wizard helps construct Enterprise JavaBeans test cases. 

tests," Carmichael noted. security actions on messages, 
On the authentication end, which is useful when only a sec- 
Integra supports WS-Security tion of a file needs to be digital- 
and SAML. It applies layered ly signed, said Carmichael. I 



Google Puts Web Apps in Gear 



BY JEFF FEINMAN 

Google hopes to make life easi- 
er for developers traveling on 
airplanes, or finding themselves 
in places where Internet access 
is spotty, with a beta release of 
Google Gears, a free, open 
source tool for creating Web 
applications offline. 

Much of the buzz that fol- 
lowed the announcement of 
Google Gears at the company's 
May Developer Day stems 
from the idea of having a single 
standard for offline capabilities. 

Google Gears provides a 
local server for the caching and 
serving of application resources 
and local data storage in a fully 
searchable relational database, 
and uses a worker thread pool 
to improve application respon- 
siveness by running computa- 
tionally intense applications in 
the background. The Local- 
Server, which is part of the 
Google Gears API, is a contain- 
er for stores of URLs that are 
used in an application. 

David Mitchell Smith, an 
analyst for Gartner, said that 
the tool's biggest benefit is that 
it works on multiple browsers 
and different systems. Howev- 
er, he noted that Google Gears 
is not the first of its kind. 

"I think it's got a lot of 
potential, so people should be 
looking at it, but they shouldn't 



be looking at it as the only solu- 
tion," Smith said. "There are 
competing offerings, like the 
toolkit from Dojo, and then of 
course there's Microsoft. They'll 
have to respond one way or 
another, probably with some- 
thing that's a little bit more 
focused on a rich client 
approach that reaches out to the 
Web. They have Ray Ozzie, who 
in a lot of ways is the king of 
offline, and I'm sure he's going 
to have some things to offer." 

Smith was referring to 
Ozzie's role in the creation of 
Lotus Notes, a desktop client 



option for accessing business e- 
mails, calendars and applica- 
tions from an IBM Lotus Domi- 
no server. Ozzie created Lotus 
Notes with his company Iris 
Associates, founded in 1984. 

Google Gears uses the pub- 
lic domain SQLite database 
management system. Mozilla 
and Adobe will be joining 
forces with Google on the 
Gears project to create one 
consistent API for offline func- 
tionality. 

Kevin Lynch, senior vice 
president and chief software 
architect of Adobe Systems, 



said as part of the Google 
announcement that the 
Google Gears API will eventu- 
ally be available in Adobe 
Integration Runtime (AIR), 
formerly known as Apollo. 
Aligning the Google Gears and 
Apollo DB APIs, both of 
which use the SQLite data- 
base, is intended to make 
building applications that can 
leverage both API implemen- 
tations easier, Lynch said. 

Gartner's Smith observed 
that while most attempts at 
offline work have been rela- 
tively heavyweight solutions, 



Google has always been able to 
do things in a reasonably light- 
weight fashion. Because of 
Google's lightweight style, 
there is a great deal of potential 
for this to be adopted in high 
numbers, Smith said. He 
added that without connection 
to the Web, developers creat- 
ing Web applications have few- 
er capabilities, but the new tool 
makes that less of an issue. 

Smith pointed out that 
even with the growing avail- 
ability of wireless connections 
and Internet access, there are 
still many instances where 
people cannot access the 
Internet, airplanes being an 
obvious example. I 



Adobe AIRs Out Desktop Client Runtime 



< continued from page 1 

get the reach but provide 
options?" 

The desktop client gives 
users options the browser can't 
provide: the ability to work on 
applications offline, to read 
and write files to disk, and to 
tie in system notifications, 
among many other advantages, 
Downey said. 

He explained that AIR goes 
beyond the Flash Player 
because Flash lives in the 
browser and is constrained by 
the browser, while AIR resides 
on the desktop, providing 
more capabilities than can 



deli 



the 



now be 
browser. 

AIR also can let developers 
use PDF content in their 
applications, thanks to support 
for Adobe Reader 8.1 or high- 
er. And, at Adobe Labs, an 
extension to Adobe's Dream- 
weaver enables those develop- 
ers to build AIR applications in 
that tool, where AJAX support 
is extensive, Downey added. 

"This is the next generation 
of our RIA platform," said Dave 
Gruber, group product market- 
ing manager for Flex. 

The Flex 3 release marks 
the beginning of Adobe's 



promise to take the product 
open source. Adobe will deliv- 
er the public road map for 
Flex, along with the bug base, 
Gruber said. 

The release includes a 
number of major new features, 
Gruber said. While AIR pro- 
vides base-level APIs for 
direct connectivity to the 
client database, the Flex 3 
framework allows developers 
to work with local data and 
sync it with the remote server 
via Lifecycle ES Data Services 
(formerly Flex Data Services). 

Also new is the inclusion of 
an AIR debugger in Flex 



Builder, the design tool; appli- 
cation packaging and signing 
for Flex applications to deploy 
on AIR; code refactoring tools; 
and the ability to cache the 
Flex framework inside the 
Flash Player. 

Integration with Adobe's 
Creative Studio 3 enables 
developers to create skins and 
styles in that tool and then lay- 
er them into Flex applications, 
Gruber said. He added that 
images can be imported from 
Adobe's Photoshop and Illus- 
trator applications. 

"People are beginning to 
see the richness of bringing 
Adobe's products together with 
the old Macromedia products," 
Gruber said. I 
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Trolltech Offers Java RIA Framework 

Qt Jambi lets developers build on C++ in Java and deploy applications via browser 



BY ALEX HANDY 

Developers that wish to reuse 
code in rich Internet applica- 
tions may turn to Trolltech, 
which in early June released Qt 
Jambi, a cross-platform rich 
client application framework 
and API. While Jambi was built 
for Java, it's based on existing 
Qt C++ work, and existing C+ + 
assets can therefore be run 
through the Jambi generator, 
producing Java components 
and APIs. 

Trolltech is known for its Qt 
line of APIs, frameworks and 
GUI libraries. This experience 
has been brought to bear on 
Java, with the release of Qt 
Jambi. Naren Karattup, prod- 
uct director of development 
tools at Trolltech, said that 
Jambi enables cross-platform 
development in a manner pre- 
viously unavailable to Qt users, 
thanks to the softwares Java 
underpinnings. 

"It will enable developers to 
deliver compelling rich client 
cross-platform applications, 
with native look-and-feel, using 
their existing Java skills and 
tools, with a very high degree of 
desktop integration — drag-and- 
drop and local file system 
resources will work, among oth- 
er things — and to do so using a 
mature and highly powerful 
API," said Karattup. Those 
desktop integrations have tradi- 
tionally been a sticking point 
for browser-based rich client 
applications, he added. 

BROWSER OPTION 

But Jambi will also allow devel- 
opers to deploy their applica- 
tions through a browser instead 
of a desktop, said Karattup. 
"Although the primary intend- 
ed usage for Qt Jambi is to 
make traditional rich clients, it 
can also produce Web applica- 
tions that can be deployed over 
the Web in a browser, which is 
one of the primary selling 
points." 

Jambi applications are also 
easier to test, he added. "Pro- 
grammers get a predictable, 
consistent API helping them to 
create applications which can 
be deployed without having to 
exhaustively test on the matrix 
of different browsers and dif- 
ferent platforms." 

Qt Jambi positions itself, like 
sandwich bread, around the 
Java Virtual Machine. The Java 



layer to which developers pro- 
gram sits on top of the JVM, 
while the C++ Qt-based foun- 
dation rides underneath, shep- 
herding the existing interface 



elements and handling the 
hardware and operating system 
interactions. As a result, devel- 
opers have a much greater abil- 
ity to touch the computer from 



inside the rich clients they 
write. 

Karattup also noted that 
Jambi includes Eclipse integra- 
tions, to speed development 



and application generation. 
Jambi is available now from 
Trolltech, and is offered under 
a dual license, for either com- 
mercial or open source work. I 
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Introducing Data Dynamics Reports, a new royalty-free reporting toolkit for 
Microsoft .NET developers. Based on the Report Definition Language (RDL), 
Data Dynamics Reports integrates into Web and Windows Forms applications 
and provides a rich API with which to create and modify reports. 

In addition to the base features provided by RDL, Data Dynamics Reports 
has added several new features to make your reports really shine. 

Go ahead. Show off. With Data Dynamics Reports, you have the tools to 
do it right. 




Sales by Media Type 
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Media Type 


Quantity 


Net Sales 


Net Profit 


DVD 


2,838 


$59,002,43 


$32,046,59 


LaserDisc 


1,953 


$36,199,55 


$20,676,77 


HD-DVD 


199 


$6,154,77 


$2,367,86 


Total 


4,990 


$101,356,75 


$55,091,22 


Media Type 


Quantity 


Net Sales 


Net Profit 


I VHS 


2,733 


$50,410,16 


$29,073,02 


^H Totai 


2,733 


$50,410,16 


$29,073,02 
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Master Reports 

Provide a template containing data sources, data sets, 
and common report items to report authors. 

Data Visualizers 

Data bars, color scales, icon sets, and range bars all help 
explain your data at a glance. 

Barcode 

Save time and money with the included Barcode report 

item. 

It supports 23 of the most popular barcode symbologies, 

from Code39 to UPC, PostNET, and JapanesePostal. 

Enhanced Chart Data Region 

The Chart data region contains many new chart types 
including Gantt, Pyramid, Funnel, and many new financial 
charts. 



Banded List 

The BandedList data region gives the author the ability 
to position items freely as in a List, but with the added 
grouping support of a Table. 

Formatted Text 

Insert XHTML right into your report with the 



Designer Control 

A designer control is included so your users can create 
reports from within your own application. 

Word Export 

With the included Word rendering extension, you and 
your users can export reports to Word document format 
directly from the viewer without purchasing costly 
components. 
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Europa Release 
Gives Eclipse 
Major Overhaul 



'JU. »^L— ^ih-i ii,Tiili Lith.: Up-i 



< continued from page 1 

gramming tool and BPEL edit- 
ing tools as well. 

Of course, Java doesn't get 
all of the love in Europa. 
Another project that's first see- 
ing the light of day in this 
release is the Dynamic Lan- 
guage Toolkit (DLT). While 
this toolkit is specifically 
designed to allow developers to 
add new dynamic languages to 
the Eclipse IDE as plug-ins, it 
also includes two sample lan- 
guage implementations for 
Ruby and TCL. 

The trackbed of Eclipse has 
been overhauled for this release 
as well. The OSGi Alliance's 
new Equinox technology has 
been integrated into Eclipse, to 
the benefit of the rich client 
platform. For Web program- 
mers, the Web Tools Platform 
(WTP) can now manage Tom- 
cat work directories from inside 
Eclipse. Additionally, the WTP 
now includes a visual page edi- 
tor designed to ease the devel- 
opment of JavaServer Pages 
(JSP) and HTML. 

The BIRT reporting suite has 
also been updated. "We think 
this is a great project that offers 
a lot of functionality to Java 
developers," said Milinkovich. 



"There are several different 
new chart types. There's a new 
dynamic cross-paths report. 
You can actually have [Micro- 
soft's] Word and Excel as out- 
put formats for your reports, 
now. You can use Web services as 
data sources. They've done some 
work on making it easier to 
deploy and integrate BIRT with 
server applications, too. The days 
of hand-coded JSP for reporting 
is coming to an end with the way 
BIRT is progressing." 

And, keeping up with the 
times, all portions of the 
Eclipse Europa release are now 
compatible with Windows 
Vista. Developers hoping for 
some simplicity in the install 
process will also be happy to 
hear that the Eclipse Founda- 
tion has streamlined the pack- 
aging of the IDE. Specifically, 
there will be four packages 
available: one for Java develop- 
ers, another for enterprise Java 
developers that includes Java 
EE support, a third for C/C+ + 
developers, and the last, for 
RCP and plug-in developers. 

Eclipse's Europa release can 
be found online at www 
.eclipse.org. The software and all 
of its plug-ins and frameworks 
are free and open source. I 
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Mylar's name has changed to Mylyn, and for Europa it will offer new workflow task views. 



21 PROJECTS, 17M LINES OF CODE 



With more than 17 million lines of code, 21 projects and programmers from 25 countries contributing 
to the project, Eclipse's Europa release is one of the largest open source projects. Despite that size, 
the project has been hitting its annual release dates consistently for the past few Junes. This time 
around, however, the release includes more third-party projects than ever before. Here's a list of pro- 
jects that have been updated in Europa. 



Tools for Enterprise 


• Mylyn workflow tool 


• Eclipse Modeling Framework 


Developers 


(formerly known as Mylar) 


Technology-Jet 


• AspectJ Development Tools 


• SOA Tools Platform 


• Graphical Editing Framework 


Project 


• Test and Performance Tools 


• Graphical Modeling Framework 


• Business Intelligence and 


Platform (TPTP) 


• Model Development Tools 


Reporting Tools (BIRT) 


• Web Tools Platform (WTP) 


• Eclipse Communications 


• Buckminster Component 


• Dash tools for committers 


Framework 


Assembly Project 

• Dynamic Language Toolkit 
(DLTK), featuring support for 
Ruby and TCL 

• Data Tools Platform 


Application Frameworks 

• Eclipse Platform 

• Eclipse Modeling Framework 

• Eclipse Modeling Framework 
Technology 


Tools for Embedded 
Developers 

• C/C++ IDE 

• Device Debugging 

• Target Management 



Virtualization Gives QA Next-Best Thing to Real Thing 



< continued from page 3 

that "they can find the defects, 
capture the URL of where the 
defect would be, send that 
URL to the developer, [who] 
brings up on their development 
machine that virtualized envi- 
ronment." 

Lanowitz cited another ben- 
efit of virtual lab automation: 
the ability to use offshore help 
better. Instead of packing up a 
computer in San Jose, sending 
it to Bangalore, India, and 
praying it isn't lost or damaged 
in transit, "you give your off- 
shore team a virtualized image 
of what they're testing against 
or what they're developing 
against. They don't have to wait 
for anything... you're saving so 



much time in provisioning." 

Time is the big savings, 
according to Voke's research, 
she noted. "Going from two 
to three — or five to six — days 
down to a few minutes is a 
huge savings in time, and what 
that really equates to is less 
dependence by the QA organi- 
zations, and by the develop- 
ment organizations, on people 
in IT services." 

Time is people, and people 
are money, she continued: "You 
don't have to have as many tac- 
tically driven people on the IT 
services side to set up those 
labs, and make sure the operat- 
ing system has the correct 
patches and so on." The head- 
count thus saved on "grunt" 



services can be redeployed, 
inside IT, or returned to the 
line of business. 

"People who have imple- 
mented [virtualization] on the 
application development side 
see immediate benefits, imme- 
diate cost savings," according to 
Lanowitz. "They can reduce 
their development and QA time 
by as much as 50 percent with- 
in a project life cycle." 

Lanowitz explained, "What 
virtualization is delivering now 
is a very flexible, malleable envi- 
ronment for people throughout 
the organization: sales, market- 
ing, development, QA, opera- 
tions." It liberates them from 
the old machine-operating sys- 
tem lock-in, and allows the cus- 



tomer to "use whatever image 
or environment they need to 
use at any particular time on any 
piece of hardware. The future is 
really bright for this constant 
kind of virtualization across the 
entire enterprise." 

UNANSWERED QUESTIONS 

But the industry isn't ready 
everywhere for virtualization, 
she noted. "One of the prob- 
lems that we'll see. . .is how are 
tools and applications licensed 
in this kind of a virtual envi- 
ronment? So many vendors 
license their software to a seat 
or a physical computer. What 
happens if you take that sys- 
tem and virtualize that, several 
times over? Do you need a 



separate license? Do you sell a 
virtualization license, if you're 
a software vendor? These 
are the types of questions that 
the industry has not yet 
answered." 

Virtualization, Lanowitz con- 
cluded, "is something that 
goes across the entire organi- 
zation, where the operations 
people have been using it for 
so long in the data center, and 
now the people on the devel- 
opment side are starting to 
take a look at this and say, 
'Guess what, we can reduce 
our dependency on cost.' It 
squashes a lot of fears around 
the idea of security and around 
[whether] they're using the cor- 
rect environment." I 
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Complex Event Processing Made Simple 

Coral8, StreamBase try to untangle web of transactions 



BY ALEX HANDY 

While computers are getting 
faster every day, the information 
they must handle seems to be 
outpacing the growth predicted 
by Moore's Law. Perhaps that's 
why complex event processing 
(CEP) platforms are beginning 
to make headway into software 
development shops that aren't 
simply dealing with stocks and 
commodities trading, where 
CEP first came to prominence. 
These platforms have carved out 
a niche for themselves in the 
gray area where a database is too 
slow, and an application server is 
too unpredictable. For vendors 
such as Coral8 and StreamBase, 
the world of CEP is expanding 
further beyond financial services 
every day. 

Coral8 has been selling its 
CEP software for just over a year. 
In June, the company released 
version 5.0 of its CEP platform, 
heralding a heavy increase in 
speed and performance. 

John Morrell, director of 
product marketing for Coral8, 
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Coral8 and StreamBase are banking that complex event processing will 
save developers time and energy. 



observed that CEP is ready for 
broad use. "We're seeing a big 
shift in the market where people 
have now recognized what CEP 
is, and what it can do for them in 
a number of application areas," 
said Morrell. "They're moving 
beyond the experimentation 
stage. [CEP] requires a much 
stronger infrastructure compo- 



nent that will allow these folks to 
scale their applications, tune 
them and manage them on an 
enterprise basis." 

Morrell said that Coral8's 
software promises latency of a 
half-millisecond per transaction, 
a level of efficiency that would 
be difficult to replicate in stan- 
dard development processes. 



Instead of saddling developers 
with the task of building the pro- 
cessing engine from scratch, 
Coral8 offers them tools for 
streamlining the processes run- 
ning in the CEP platform. 

"As people start to build 
more complex applications, the 
queries inside the CEP algo- 
rithm become more complex 
and more varied. In order to 
tune these systems, you need to 
get a lot of statistics about what's 
going on in these queries," said 
Morrell. As such, Coral8 has 
included new controls for 
queries and new visualizations to 
help understand where bottle- 
necks are in data streams. 

StreamBase, meanwhile, is 
finishing its own version 5. The 
company says it will be releasing 
the update this September, and 
also announced that StreamBase 
5 will focus on new customer- 
centric features specific to some 
of the new markets opening up 
to CEP. In particular, it will fea- 
ture new query actions, such as 
pattern matching, which can be 



performed on the data 
processed in the CEP. 

StreamBase 5 will also in- 
clude new frameworks for build- 
ing applications on top of the 
CEP software. At first, the com- 
pany will release a trading 
framework, but others are 
expected to be available soon 
after the release. Additionally, 
StreamBase 5 will include per- 
sistence connectors for IBM 
DB2, which will allow process 
streams to be saved for later use. 

John Partridge, StreamBase's 
co-founder and vice president 
for industry solutions, said that 
the CEP market has lately 
begun to heat up. While Stream- 
Base began selling its namesake 
solution only in 2005, the com- 
pany's customer base has already 
expanded into new vertical mar- 
kets, he said. 

"It's heating up in a couple 
of different areas, beyond 
financial services and military 
intelligence stuff. The telecom- 
munications space is interested, 
and also network monitoring 
and intrusion detection compa- 
nies. It's even as far-reaching as 
massively multiplayer online 
games. We didn't plan that 
when we launched the compa- 
ny," said Partridge. I 
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Oracle Unveils Developer Tools for .NET Platform 



BY P.J. CONNOLLY 

Oracle in early June announced 
beta versions of two free devel- 
oper tools for Microsoft's .NET 
development platform, and 
plans to improve its tooling for 
ASRNET services. 

The betas of Oracle Data 
Provider for .NET and Oracle 
Developer Tools for Visual Stu- 
dio .NET are expected by the 
company to simplify the build- 
ing of .NET applications that 
use an Oracle database. Both 
allow developers to create .NET 
custom data types from abstract 
data types used by Oracle, and 
add source control integration 
and support for user-defined 
types. The tools work best with 
Visual Studio 2005, says the 
company, although the Visual 
Studio plug-in can also be used 
with Visual Studio .NET 2003. 

Teradata 
Integrating C r 
Java Libraries 

BY P.J. CONNOLLY 

Teradata announced in late 
May that it would be integrat- 
ing two numerical libraries 
from Visual Numerics into its 
line of applications and tools. 

After looking at the available 
third-party options, explained 
Teradata senior advanced ana- 
lytics product manager Robert 
Juhasz, the company chose 
Visual Numerics because it was 
established, it had robust 
libraries with a number of ana- 
lytic functions, and it had a track 
record in a broad range of 
industries. 

The IMSL C Numerical 
Library and JMSL Numerical 
Library for Java are intended to 
help customers build forecasting 
tools and predictive analysis 
applications by incorporating 
neural network technology. This 
allows users to build predictive 
models, using historical data and 
training the network to tweak 
the model as data accumulates. 

This training takes a repeated 
series of forecasts and makes 
comparisons against actual out- 
comes. 

Teradata — in the process of 
splitting off from NCR — has 
already begun work on building 
the JMSL library into its apps 
and expects to release updates by 
the end of June; no timetable has 
been set for doing the same with 
the IMSL library. I 



Developers can drag and 
drop Oracle database objects 
onto ASRNET Web pages with 
the new tools, while the source 
control features in the Visual 
Studio plug-in allow them to 
back up and version .NET 



applications with Oracle scripts, 
using a number of common 
source control systems. 

Oracle Data Provider enables 
developers to access perfor- 
mance, reliability, scalability and 
security features in Oracle Data- 



base lOg, including application 
security context, clustering and 
native Oracle data types such as 
large objects (LOBs) and REF 
Cursors, which allow record sets 
to be returned from stored pro- 
cedures and packages. 



The company revealed plans 
for the future availability of Ora- 
cle Providers for ASRNET, 
which would allow ASRNET 
applications to manage state 
information and other useful 
data within an Oracle database. I 
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6.0 for Windows 
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virtualization software for desktop and laptop 
computers, with the richest feature set and 
broadest platform support available. VMware 
Workstation enables users to create and host | 
multiple virtual machines on a single desktop, 
expanding the power of desktop systems for 
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VMware Workstation 6.0 is packed with 
new features including support for Windows 
Vista, multiple monitors and high-speed 
USB 2.0 devices, as well as the ability to 
create portable, secure virtual machines. 
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Microsoft Sticks to Here-and-Now at Tech-Ed 



< continued from page 1 

mistakes of previous years' 
keynotes: overarching discus- 
sions about Microsoft's visions, 
from Hailstorm to WinFS. 

The topic of Muglia's keynote 
was Microsoft's Dynamic Sys- 



tems Initiative (DSI), an opti- 
mization model in which soft- 
ware and services can come 
together as a strategic asset for 
businesses. The keynote was 
topped off with a discussion of 
what defines business agility, 



with Gartner vice president and 
distinguished analyst Tom 
Bittman. The lengthy DSI dis- 
cussion did not set off Lloyd's 
MS-BS detector, but did trigger 
a slow bleed of attendees from 
the auditorium. 



Muglia also announced that 
Microsoft and Linux vendor 
Xandros will collaborate on in- 
tellectual property assurance, 
Office document compatibility, 
server interoperability and sys- 
tems management interoper- 
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ability, and both will commit to 
joint sales and marketing efforts. 

A little more than a week 
after the revelation of Micro- 
soft's intellectual property agree- 
ment with Xandros, it was 
announced on June 14 that Lin- 
spire, a former litigant against 
Microsoft, had followed suit 
with an agreement even broader 
than the software giants pact 
with Xandros and its earlier pact 
Novell: Microsoft intellectual 
property will be bundled with a 
Linux distribution. The Linspire 
5.0 operating system will contain 
Microsoft technologies for digi- 
tal media, instant messaging, 
search and typography, if cus- 
tomers purchase a patent SKU. 

Muglia sorted out a couple of 
nagging branding issues, by 
announcing that the long-await- 
ed "Longhorn" Server and Visu- 
al Studio "Orcas" would ship as 
Windows Server 2008 and Visual 
Studio 2008, respectively. No 
word was given on exactly when 
in that year they might ship, giv- 
ing the company a full year and a 
half of breathing room. Develop- 
ers left Tech-Ed with a handful 
of beta software, including beta 1 
of Visual Studio 2008. 

In addition, Microsoft intro- 
duced three Server Core roles 
for Windows Server and a new 
Visual Studio mode that allows 
partners to apply their own 
branding. Server Core roles are 
specialized, low-footprint instal- 
lations of Windows Server with- 
out the GUI; the new roles 
announced at Tech-Ed are those 
of media server, based on Win- 
dows Media Services, virtualiza- 
tion server, based on Windows 
Virtualization Services (code- 
named "Viridian") and Web 
server based on IIS (Internet 
Information Server) 7. 

BEYOND 2008? 

Attempts to coax Microsoft exec- 
utives to define the product road 
map beyond 2008 were unsuc- 
cessful: Microsoft is simply not 
talking futures at this time. 

The real story behind Tech- 
Ed this year was the parade of 
small events that made it an 
immersive experience for devel- 
opers. Among other topics, 
attendees were introduced to the 
basic concepts of building Sil- 
verlight-enabled Web applica- 
tions, saw demonstrations of 
SoftGrid Application sequenc- 
ing, and were given the details of 
Microsoft's support for Web 
standards and Web application 
security. There was also a hands- 
on session with the .NET Micro 
Framework. I 
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IBM Buys Telelogic, Extends ALM Reach 



< continued from page 1 

unit, according to Danny Sab- 
bah, general manager of IBM 
Rational. IBM has stated that it 
will retain Telelogic s products, 
employees and prior acquisi- 
tions, including the most recent 
Popkin Software and I-Logix 
purchases. The main motiva- 
tion behind IBM's purchase of 
Telelogic is to penetrate the 
embedded systems market, 
which Sabbah described as a 
growth area. 

One market that IBM has set 
its sights on is the recently 
coined "System-of-Systems," 
which focuses on the orchestra- 
tion of command-and-control, 
communications and informa- 
tion systems and is being looked 
into for the areas of defense, 
space exploration and trans- 
portation. 

"Embedded systems is an 
integral part of not only the 
development of products, but 
also this whole notion of System- 
of-Systems, which we believe is 
growing," Sabbah said. 

WHAT ABOUT OVERLAP? 

Theresa Lanowitz, founder of 
analyst firm Voke, said that 
Telelogic would fit well into the 
IBM Rational brand, as it 
extends IBM RationaPs idea of 
a software life cycle into the 
embedded space. Even though 
there is a significant amount of 
overlap, IBM Rational will have 
the opportunity to pick and 
choose the better tools from 
Telelogic and its own product 
line, she added. 

IBM was criticized by some 
in the industry for the way in 
which it handled the acquisi- 
tion of Rational, as it took 
quite some time for the 
merged product lines to line 
up properly. According to 
Lanowitz, many of the compli- 
cations with that acquisition 
had to do with the assimilation 
of a new brand. In contrast, 
she believes that the Telelogic 
offerings will fit into the Ratio- 
nal brand, particularly in areas 
such as requirements manage- 
ment and testing. 

Kevin Parker, vice president 
of market development for Ser- 
ena, claimed that with its atten- 
tion focused on the Jazz collab- 
orative development project, 
IBM has lost focus on some of 
its ALM product lines. As a 
result, companies like Serena 
and Telelogic have been able to 
pull ahead, and the only way for 



IBM to catch up was through 
acquisitions, he argued. 

Parker shared Lanowitz's 
feeling that the acquisition will 
boost IBM RationaPs require- 
ments management lineup. 

"In the requirements man- 



agement space, there are really 
only three vendors — Serena, 
IBM/Telelogic, and Borland — 
and IBM was starting to slip in 
that space, so they had to do 
something," he said. 

Now that IBM Rational has 



grown by removing a significant 
competitor in the ALM market, 
other players in the space 
seemed cautiously enthusiastic. 
Borland Software's Marc 
Brown, vice president of prod- 
uct marketing, said that in the 



long term, an acquisition such 
as this removes straightforward 
ALM companies and leaves 
customers with no option but to 
deal with industry juggernauts 
such as IBM. At the same time, 
the deal opens opportunities for 
"neutral" ALM players such as 
Borland and Serena to gain cus- 
tomers. I 
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Ada, C Supported in Hard Real-Time Java Kit 

Scorpion delivers low-latency tool set for safety-critical work 



BY P.J. CONNOLLY 

Making Java applications meet the rigor- 
ous demands of hard real-time applica- 
tions was considered something akin to 
cold fusion a few years ago. But DDC-I, 
a developer of compilers, integrated 
development environments and runtime 
systems for embedded application 
development, claims that the Eclipse- 
based tool set it released in mid-June 
delivers a level of latency two orders of 
magnitude lower than competing real- 
time Java solutions. 

DDC-I's history is in the aerospace 
and defense market, which has been a 
stronghold of Ada and classic C develop- 
ment, explained company president and 
CEO Bob Morris. "Ada is still out there, 
it's still strong, but it's not a growth mar- 
ket," he noted. "What the defense guys 



and aerospace guys have realized for 
some time is that it's really hard to find 
Ada engineers. It's hard to find good C 
engineers. What the colleges are turning 
out are people who know C# and Java." 
So, instead of bucking the tide, Morris 
said, "what they're trying to do is move 
to Java." 

The company's new Scorpion tools 
are based on the Real-Time Specifica- 
tion for Java (RTSJ), and allow develop- 
ers to use Java with other languages, 
including Ada, C and Embedded C+ + . 
As a member of the Safety Critical Java 
Expert Group that is trimming the RTSJ 
for FAA-certified safety-critical applica- 
tions, DDC-I also pledged its tools 
would support the group's work on the 
JSR 302 specification. 

The Scorpion tools include a 



builder that performs ahead-of-time 
Java file builds, compilers and debug- 
gers for Ada, C, Embedded C + + and 
Java, and the ScorpionVM virtual 
machine, for real-time application exe- 
cution. The company claims that its 
"smart linker" can reduce code size up 
to 80 percent by removing unwanted 
objects from closed systems, while its 
application profiler helps balance code 
speed with code bulk by determining 
the optimal mix of compiled and inter- 
preted code. 

Because garbage collection is so crit- 
ical in hard real-time applications, Scor- 
pion uses a deterministic, distributed 
collector, licensed from German real- 
time developer Aicas, which DDC-I 
claims reduces the overall complexity of 
managing garbage in memory. 



Scorpion also offers what the compa- 
ny calls a unique ability to support exist- 
ing Ada and C programs, with a wizard 
that maps Java native calls directly to the 
underlying code, with the intent of sim- 
plifying the migration of legacy pro- 
grams to today's RTSJ environments as 
well as future JSR 302 safety-critical 
environments. 

The Scorpion compiler takes the 
form of an Eclipse plug-in that works 
with Wind River Workbench 2.6 and 
VxWorks 6.4; Scorpion also offers a run- 
time Java platform for the Wind River 
OS. At release, Scorpion was available 
for target systems with Pentium or 
PowerPC processors running VxWorks 
6.4, but the company expected to 
announce other supported platforms 
later this year. I 



Garmin 
Gives 
Developers 
Direction 

BY P.J. CONNOLLY 

Garmin International announced at the 
end of May the launch of the Garmin 
Developer Web site, aimed at opening 
up what company spokesperson Jessica 
Myers admitted had been a challeng- 
ing environment for third-party devel- 
opers who wanted to write applications 
and provide data to Garmin's naviga- 
tion systems. 

The Web site hosts a library of APIs, 
toolkits and Web services organized 
into six core products: The Garmin 
Communicator Plugin API, the 
Garmin Fleet Management Interface, 
the PeerPoint messaging system, and 
toolkits for content and location-based 
services (LBS) are all available now; 
the MotionBased Web Services API 
complements the Communicator Plug- 
in API and will be available later this 
year. 

The Communicator Plugin API is 
JavaScript support code and a Web 
browser plug-in that allows developers 
to transfer location data — including 
maps, points of interest (POIs), track 
logs and waypoints — between Garmin 
devices and Web sites. This is intended 
to simplify the loading of new location 
data to a Garmin device. 

Meanwhile, the Fleet Management 
Interface works with Garmin's portable 
navigation devices to enable dispatch, 
messaging, navigation and tracking 
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With the new developer tools, claims Garmin, deploying custom content on top of a basic map 
such as this in a navigation device becomes simple. 



functions that allow companies to mon- 
itor essential vehicle information 
including cargo and fuel status, idle 
times and stop counting, as well as more 
basic information such as location, 
speed and direction of travel and travel 
distance. It also enables direct-to-driver 
text messaging and "new destination" 
prompts that allow instant rerouting. 

The PeerPoint messaging system 
allows developers to use Garmin's loca- 
tion message format to send precise 
coordinates to phones that are running 
the Garmin Mobile XT application. 
This SMS-based interface is used with 
the Garmin Mobile Smartphone SDKs 
to build location-based enterprise-class 
applications for Palm OS and Windows 
Mobile devices. 

The Garmin Content Toolkit 
enables the creation of secure POIs for 
the company's GPS systems, with the 



aim of creating an ecosystem of con- 
tent, such as lists of Wi-Fi hotspots, 
tour guides and other information that 
end users might want to download to 
devices. 

The Garmin Location-Based Ser- 
vices Toolkit allows developers to add 
LBS features to Java-based mobile 
phone applications, incorporating the 
company's content delivery, navigation 
and search services into one platform. 
Finally, the forthcoming MotionBased 
Web Services API opens up the com- 
pany's MotionBased.com physical fit- 
ness and training support service to 
third parties. 

The new Garmin developer tools are 
available for free use with two excep- 
tions: Content Toolkit users that charge 
their customers must give Garmin a 
piece of the action, while the LBS Tool- 
kit is priced on a case-by-case basis. I 



Oracle DB Lite 
Adds Support 
For Languages 

BY P.J. CONNOLLY 

Oracle announced in early June the gen- 
eral availability of Oracle Database Lite 
lOg Release 3, which now allows the use 
of stored procedures written in C++ and 
C#; previous versions allowed the stor- 
ing of Java-based procedures. 

The release also offers a new diagnos- 
tics tool for the Mobile Server Repository, 
and new wizards for the Mobile Database 
Workbench, with updated management 
screens in the Mobile Manager tool. 

Oracle Database Lite is designed for 
situations where applications run on occa- 
sionally connected devices, with periodic 
synchronization to an Oracle database 
server on the back end. The new synchro- 
nization features make it possible to syn- 
chronize data in both directions, while 
requiring no user intervention. 

The new release of Oracle Database 
Lite lOg now offers practically unlimit- 
ed storage space for BLOB (binary large 
object) data, with an upper limit of 
16TB per BLOB. It also adds support 
for Oracle Containers for Java, used in 
the company's Web-to-Go Java develop- 
ment environment. 

Pricing for Oracle Database Lite lOg 
is based on the number of processors in 
the machine running the Mobile Serv- 
er—at US$20,000 per CPU— with 
unlimited use of the mobile database. 

It can be used with Windows Mobile 
5 and Windows CE Standard SDK 5.0; 
Symbian 7 and 8 devices are supported 
viaJDBC. I 
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ecurity flaws darken the sky over every company 
that encounters them. The consequences can be 
so severe that it is remarkable flaws continue to 
persist after years of stakeholders enduring the 
expense, pain and risks associated with insecuri- 
ty. But just as a spate of failures of cast-iron bridges 
in the early years of Victorias reign caused the British 
government to regulate railroad construction, so too 
may failures in software security lead to future gov- 
ernment controls on how code is written. 

Gunter Ollmann, director of security strategy for 
IBM's Internet Security Systems division, reported 
I in May 2007 that ISS researchers had analyzed 
J more than 7,000 publicly disclosed bugs in 2006. 
Strikingly, Ollmann estimated that the number of 
new code vulnerabilities could exceed 139,362 
per year, increasing the perceived risk of zero- 
day vulnerabilities exponentially. 

Software has transformed into a critical part of 
our infrastructure, yet its architectural standards 
are not on par with physical structures such as 
bridges. Although every situation is different, the 
experts SD Times interviewed for this story 
reached consensus on some of the most common 
underlying factors that beget flaws: Fundamental 
project management, organizational commitment 
and training were the most frequently discussed 
topics among those interviewed. 
John Heimann, Oracle's program director in the 
global security product group, observed that most 
companies have not defined standards for secure cod- 
ing. But management must define standards, explain 
r hat they mean to developers, and measure developers 
on their achievement, he said. 

Tight schedules may also lead to lax software securi- 
ty. Rex Black, president and principal consultant of Rex 
Black Consulting Services, said that schedule pressures 
drive out a lot of things required to produce quality soft- 
ware. "[Management believes] that pressure is part of get- 
ting peak performance out of an organization. There is frus- 
tration at the contributor level about constant pressure to 



meet dates. You can't be surprised when [developers] don't 
deliver fully functional or secure code." 

SPI Dynamics co-founder Caleb Sima remarked that even 
if management conveyed requirements precisely, another 
problem is that the person who created those requirements 
needs to know security. "Product managers deal with cus- 
tomers, not security. There must be a dedicated guy helping 
the product manager." 

Sima also noted that product managers drive for parity 
between diagrammed functionality and what is actually writ- 
ten. Unintended functionality, introduced when developers 
go above and beyond what is expected of them, spawns vul- 
nerabilities. "QA people do not test the extra stuff. ..this is 
where security issues come into play," said Sima. 

According to Sima, security must be a companywide 
process and be integrated into the existing development life 
cycle, but he acknowledged that coordinating so many actors 
could be the biggest obstacle. "Security goes into the whole 
process; it's one huge cycle and cannot be fixed at one point." 

Roy Stephan, director of security business units at Ashburn, 
Va.-based systems integrator Intelligent Decisions, recom- 
mends rapid prototyping for requirements development to 
uncover inconsistencies, because the "big build" model makes 
fixing problems costly and difficult. He surmised that out- 
sourcing has added to the challenge of realizing a cohesive 
vision for security, citing language and interaction difficulties. 

PUTTING YOUR MONEY WHERE YOUR MOUTH IS 

Black, Heimann and Sima all agreed that companies that are 
serious about security must invest more in QA tooling, under- 
stand how to use those tools effectively, and retain developers 
who know how to write secure code with those tools. Whether 
or not this is done is a matter of organizational priorities, since 
these activities contribute to operating expenses. 

But there is a business case for black-box security testing 
tools, according to the U.S. Department of Homeland Securi- 
ty. A document published on the department's Computer 
Emergency Response Team Web site in December 2005 
reported that the 2005 Computer Security Institute/FBI Com 
puter Crime and Security Survey noted that the monetary loss 

continued on page 38 



4&<t* I 



1 MM 






38 



SPECIAL REPORT 



Software Development Times ■ July 1 f 2007 ^ 



www.sdtimes.com 



Whflt Can Be Done About Software Security? 



< continued from page 37 

reported by 639 companies in 
2005 totaled US$130,104,542. 

Oracle's Heimann explained 
that companies also require 
tools because they have to look 



back to see how well they are 
doing, even with the correct 
processes in place. "If you don't 
measure something, you can't 
manage it," he pointed out. 
Black said that tools can 



make the process of designing 
secure software more efficient, 
noting that "most companies 
feel that code reviews are good, 
but [they] say that we don't 
have time.'" He added that 



even if there are pockets of 
people within companies that 
understand both quality and 
security issues, there is no 
mechanism to propagate their 
knowledge, because people are 
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not reading one another's code. 

"Even when there are code 
reviews, one of the things compa- 
nies don't tend to invest a lot in is 
tools," Black said. He bemoaned 
that companies focus too much 
on static analysis and not enough 
on subtleties even when they 
make the necessary investment, 
which leaves bugs that could eas- 
ily be discovered with tools to be 
discovered manually. 

Intelligent Decisions' Stephan 
agreed that QA cannot be seen 
as an obstacle, and recommends 
that QA professionals establish 
best practices that pay special 
attention to the boundaries, 
where applications communi- 
cate through protocols or 
between libraries. He advocates 
peer code reviews as well: "Tools 
are getting more intelligent and 
automate the documentation 
process. In the end, it comes 
down to programmers docu- 
menting code properly, to be 
quickly patched by a successor" 
when necessary. 

SPI Dynamics' Sima recom- 
mended that tools be embedded 
in the development life cycle to 
scan and identify code, and check 
it against policy. 

"Security must be introduced 
as another [presumed] defect," 
he explained, adding, "QA peo- 
ple typically test for functionality 
and performance — not security." 

TRAINING AND EDUCATION 

"Problems arise when you try to 
implement the technology," 
said Black. He concurred with 
Sima that security testing is not 
well understood, stating that 
many QA professionals are 
domain experts who do not 
comprehend the underlying 
technologies. "A modest invest- 
ment in tools and training can 
impact security," he claimed. 

Black cautioned against set- 
ting immovable deadlines, say- 
ing that as the scope of testing 
work increases, the question to 
management becomes, "What 
time and what people?" In his 
estimation, an understaffed and 
overworked product group will 
permit test dates to slip in order 
to meet a delivery date, and may 
be forced to skip critical tests. 

"Organizations that are sincere 
about quality and security 
improvement will make it a prior- 
ity," said Black. "I am not suggest- 
ing an open-ended commitment, 
but companies must understand 
that other things [should] give 
way to achieving that." 

Education is another part of 

the equation. Black, Heimann, 

continued on page 39 ► 
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Sima and Stephan regard edu- 
cating developers in security as 
a long-term solution, but 
Heimann had harsh words for 
the educational establishment, 
and Sima doubted that devel- 
opers even care about security. 

Training in secure program- 
ming is important because many 
information security profession- 
als come from a networking 
background, Stephan remarked. 
"They understand networks and 
protocols well but do not under- 
stand what is happening inside 
of an application, and how code 
is being used and implemented 
behind the scenes." 

Heimann was critical of the 
skills of entry-level developers, 
maintaining that most universi- 
ty computer science programs 
and training programs do not 
offer classes in secure coding. 
"They do good things, but this 
is basic knowledge that soft- 
ware engineers should have," 
he explained, adding that Ora- 
cle winds up bearing the 
expense of teaching program- 
mers how to code securely. 

QUALIFIED FACULTY NEEDED 

Heimann asserted that most 
academics do not know how to 
write secure code, do not want 
to teach how to do so, and do not 
want to be called out for not 
knowing how. Consequently, 
most developers come out of 
school without fundamental 
knowledge of computer security. 

Heimann suggested that 
accreditation standards should 
drive program changes that 
would allow qualified faculty to 
teach secure programming, and 
suggested that consumers of 
engineering talent, such as Ora- 
cle, ought to work together to 
influence universities and estab- 
lish standards for the training 
and education of developers. 

ABET is the recognized 
accreditor for college and uni- 
versity programs in computing 
and technology, and shapes the 
kinds of program offerings that 
institutions provide, taking its 
recommendations from the 
Institute of Electrical and Elec- 
tronics Engineers. 

While he acknowledged the 
importance of education, SPI 
Dynamics' Sima re-emphasized 
the development life cycle, saying 
that security cannot be enforced 
on the backs of developers 
because they lack any incentive to 



write secure code. "They just do 
their job and most of the time 
won't go out of the way to do any- 
thing better than that. Are you 
going to get them to care about 
security? I doubt that." 



In the not-so-distant past, it 
was widely understood that the 
phrase "beta test" presumed a 
certain amount of testing would 
take place. And tests were often 
limited to a core group of testers, 



who would run the unfinished 
bits for a defined period of time 
and could be relied upon to file 
quality bug reports. 

Today, many beta tests are 
open to mass audiences, for bet- 



ter or worse. For example, MSN 
Live Local and Google's Gmail 
were introduced as betas, but 
many users treated the services 
as if they were already in pro- 
duction. Whether companies 
have found a new stealth-mar- 
keting ploy, or a way to leverage 
the distribution power of the 
continued on page 40 ► 





□Nnta Oynomlc5 

Active Reports 

forjiet 



Need the ability to creatt serteus r*P°rt* 
tor your »mpMw' 




Standard Edition 

t599 per developer, royalty free 

Professional Edition 

$1499 per developer, royalty free 







> 



DATA 
DYNAMICS 



j rielkwi Hi 



Cornet* faicgnlbn with Visual Stud* .net ,1,4... it * 

ho.. and ^hftpwt atlttoli ^^ ^ |wt B ;*^ e " 
or dab hQLupi 11 urn- report, *■"«■* 

p^orti lit the format needed, r 

2J™J lto *e <*fl°rtir» 8 1«* they i,«d pnte&nM 

HTTP Handler* and the Well report KfWrEOrfrnf mil™ b 



www.daladyna.mic5.coin 
5870 Ctev»Hand Avenus 
Columbus, 0hia-4Ja? 
6I4-(J95-1U2 

CfcliTinraiEr 

Visual Studio .nel 



G MH L*-H DpiftlL l"il HjI •*■..,■■!. ?.| n» i i !hf+. |r «--. *?> pviiih"*-> « frH l>-^«*J IN *« ■«- HfalWfcJ IM !rdtfC4*H4*ifc,*tftJ f- iTrf-T* >■" lE+1*! "Jil ■*-«.■#! '***■>", rh 
f il Ibp -uertip hh ZkJinri i-ral i^piLvn/ r" LlJ»- if* *pI h+iivia Fkilfivnii?*** 







40 



NEWS 



Software Development Times . July 1, 2007 . 



www.sdtimes.com 



Improving Software Security With Good Practices 



< continued from page 39 

Internet, betas are more accessi- 
ble than ever. 

Whereas packaged software 
adheres to a defined build 
schedule, software-as-a-service 
applications — delivered over the 
Internet — may be slipstreamed 
with new beta code several 
times per day, if necessary. 
There is no shipping of physical 
media or build announcements 
involved; it is easier to keep the 
tester pool up to date. 

Stephan claimed that many 
companies release betas into 
production, knowing that they 
can use their patching mecha- 
nisms to fix problems later. 
"Patch management bridges 
the gap between the problem 
and the solution by leaving a 
self-mechanism for updating 
and securing code after the 
fact," he noted. "This is both 
good and bad: Patching is both 
a problem and a solution, to the 
extent it has become a crutch to 
move deadlines." 

Another one of Stephan's 
concerns is code reuse — lever- 
aging other people's code, 



which is especially prevalent in 
open source deployments. He 
argued that while it may be ben- 
eficial to "stand on the shoul- 
ders of giants" and use code that 
has been error-checked and vet- 
ted by the market, by incorpo- 
rating this type of library into a 
project, one might be introduc- 
ing vulnerabilities as well. 

Stephan recommended that 
companies work to secure their 
underlying libraries. "The code- 
reuse problem is [one of] rely- 
ing on underlying problems and 
drivers. Microsoft in particular 
is attacking this angle." 

Heimann also identified 
legacy code as a big issue, not- 
ing, "Legacy is a problem at 
Oracle. Our database has been 
around at least as long as 
[Microsoft's] Windows." 

The final thing that Stephan 
suggested on the code front was 
randomization. Randomization 
creates process-specific ran- 
domized instruction sets. 
Stephan explained that through 
randomizing implementations 
in the compilation process, one 
version will not be susceptible 



to the same exploit as another 
version of the same product. 

For instance, if there is a 
buffer overflow attack against 
Server A, it may not take down 
Server B or C; the domino 
effect is contained. 

END OF SELF-REGULATION? 

In the play "Julius Caesar," 
Shakespeare pointed out that the 
fault "is not in our stars, but in 
ourselves." Our experts agreed 
that not all of the blame lies with 
corporate management: Market 
trends and consumer buying 
behavior may have relegated 
security to the back burner. 

Consultant Black said that 
security flaws are symptomatic 
of software development in 
general, with companies caring 
more about adding new func- 
tionality and turning out more 
code that is less reliable. "Secu- 
rity has not kept up. There is 
more code in a cell phone today 
than the software that got us to 
the moon," Black quipped. 

Stephan added that develop- 
ers have a certain number of 
features to get out in a particu- 



lar time frame. As a result, he 
said, information security flaws 
are not discovered for months 
or years following a release, and 
are difficult to link back to a 
specific programmer. 

Developers are also external- 
izing the cost of failure, Black 
added. "As long as organizations 
are able to transfer the cost onto 
consumers and users, they will 
not be fully incentivized to fix 
problems," he noted. "They are 
transferring cost onto customers 
to a degree that could not be 
done" with more tangible goods. 
He cited Microsoft as an exam- 
ple: "They invest a lot of money 
into fixing problems, which is 
certainly laudable, but a number 
of my clients have had signifi- 
cant expense doing regression 
testing on patches." 

Black suggested that it might 
take government action to see a 
transfer of cost back onto compa- 
nies. Homeland Security is draft- 
ing a software assurance standard 
that is voluntary for now, but 
Black said that its conditions 
could change. Compliance could 
become mandatory, he pointed 



out, noting that the industry may 
be "one or two major software 
disasters away from pretty harsh 
government regulations." 

There is already precedent 
for government involvement. In 
the wake of several high-profile 
data breaches, California law 
makes the organization that cre- 
ated the problem responsible. 

Although its scope is only tan- 
gential to software development, 
the California Information Prac- 
tice Act (SB 1386), a consumer 
privacy act, obligates companies 
to disclose when unencrypted 
personally identifiable data is or 
may have been accessed illegally 
and to adopt security procedures 
to limit the vulnerability of their 
data systems. Companies that 
are not compliant may be held 
liable in civil court. 

Oracle's Heimann said there 
is much work to be done and 
recommends security standards 
across the industry. "The indus- 
try has a lot of internal processes 
to measure the security of code," 
he noted, "but is not at a point 
where processes can be carried 
across organizations." I 
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vantage® for Windows®Forms 



Multi-Platform User Experience 



NetAdvantage 



Empower your passion for creating great user interfaces with NetAdvantage 



Empower Your Users - Deliver highly productive, feature rich user interfaces to your 
customers, for Windows Forms, ASP.NET, WPF or JSF 

Leverage Reusable Architectures - Standardize your development process with consistent 
frameworks and tooling (source code included) 

Insure Consistent Look & Feel - Apply global Application Styling™ to brand applications 
across the enterprise (professionally designed style packs included or create your styling 
according to your corporate standards) 

Access Global Support - Interact with teams in London, New York, Tokyo, and Bangalore 
for intelligent code-level product support, via phone, email or 24 hr chat 

Maximize Your Results - Infragistics also offers Ul testing tools for NetAdvantage-powered 
applications, as well as comprehensive mentoring, training and consulting services 



learn more: infragistics.com 

Infragistics Sales - 800 231 8588 

Infragistics Europe Sales - +44 (0) 800 298 9055 | 
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Powering The Presentation Layer 



Your enterprise partner for user interface development 
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FROM THE EDITORS 

The Business Model 

How do you make money with open source software? To date, most 
businesses have either given the software away and charged for ser- 
vice and support, or created communities to build software that formed 
the basis of commercial offerings. 

Gartner analyst Mark Driver, in the SD Times podcast "Week in 
Review" for the week ending June 8, explained that a new breed of dot- 
com startups are creating so-called attribution licenses that leverage the 
work of the open source community but enable them to protect their 
intellectual property There is a firestorm brewing, he warned, over what 
will be considered open source, and what will become proprietary soft- 
ware built by a community 

Driver's thoughts are fleshed out in our story on page 20 ("Analysts 
Predict Open Source Boom"), which notes that new companies are form- 
ing to support companies that rely on open source software. As Driver 
said, "I don't want to discount the importance of community, but com- 
munity doesn't come with an SLA." 

Service and support give confidence to companies that use open 
source software. If anything goes wrong, they can call for support, rather 
than post the problem on a bulletin board or blog and hope for a timely 
and helpful response. But what about niche software, or crowded mar- 
kets such as support for Apache's top projects? Realistically, how much 
money can you make off of that? 

What, then, to make of IBM's continued statements, going back to 
September 2006, that it sees its future earnings tied to the sale of soft- 
ware and not to services? For Big Blue to admit that its services cash cow 
is leveling off is surprising. 

What isn't surprising is the profit margin of IBM's commercial soft- 
ware. Reports in the media have placed it at close to 90 percent. So its 
June acquisitions of security software provider Watchfire and ALM soft- 
ware seller Telelogic are designed to round out the Rational offerings 
even more completely, and to boost sales — and profits. 

And the question of how to make money with open source software 
remains, especially since closed source is so tremendously profitable. 

Closing iPhone Makes Sense 

Judging by the groans reported from the Apple Worldwide Developers 
Conference, more than a couple of developers were unhappy that the 
Apple chose to significantly close off the iPhone to third-party applica- 
tions by adopting a Web 2.0-only approach. But when one remembers 
that ease of use is Job One for Apple, and then looks at how difficult it is 
to install and maintain applications on those mobile phones that allow it, 
the company's decision makes sense. 

A key factor is the state of mobile networks in the United States today. 
Web 2.0-based applications depend on fat, fast pipes. For most end 
users, a fast Internet connection is a given at the office, and it's often 
available at home. But when the EDGE network of AT&T, the iPhone's 
exclusive carrier (for now), claims average download rates of 70Kbps to 
135Kbps, Apple's Web 2.0 vision looks like dial-up America Online. 

Where it is available, EDGE will become increasing congested as peo- 
ple buy iPhones. That's going to put the burden on the carrier to improve 
its service, which may wipe out the sum of whatever AT&T makes on 
data plans, and the slender profits of in-store iPhone sales. (Plus there's 
a lot of the country where EDGE won't be available, now or ever.) 

While Apple's choice may not please native-code developers, or cus- 
tomers off the EDGE grid, it makes life easier for Web developers and 
for Apple itself. Troubleshooting and patching is easier when everyone's 
running the same code. Apple saves money because it doesn't have to do 
as much developer handholding. Web developers have existing Web 
specs to write to, instead of iPhone-specific APIs and SDKs. Customers 
who are lucky enough to live on a fast EDGE network may be satisfied 
with Web 2.0. I 



More Than Skin Deep 



Dan Dodge 



Go back, way back, in computer histo- 
ry to 1990. You're sitting at a PC and 
you want to copy a file called letter.txt to 
a subdirectory called Letters. (Remem- 
ber when folders were still called direc- 
tories?) To perform this operation, you 
would type something like this: 

copy letter.txt Letters 
Pretty simple. In fact, some systems 
even provided auto-comple- 
tion, so you didn't have to type 
the entire file name or directo- 
ry name: Just begin typing the 
name, hit the Esc or Tab key, 
and the command shell would 
find the best match and fill in 
the remaining characters. 
Pretty cool. 

Still, it didn't take long for 
the command line to vanish 
from the PC landscape. First 
Apple, then everyone else began to 
embrace the Windows-Icons-Menus- 
Pointer interface, aka the WIMP The 
WIMP, we were assured, was more intu- 
itive and more user-friendly. 

Or was it? Let me reconstruct my 
thought process the first time I used a 
WIMP to copy a file, some 18 years ago. 
The procedure, which still works with 
WIMP file managers like Windows 
Explorer, went something like this: 

1. Double-click on the file folder icon 
to open the File Manager. Wow, a cool- 
looking tool for organizing my files! 

2. Open the File Manager's Edit 
menu. Huh? I wanted to copy the file, 
not edit it. 

3. From the Edit menu, select the 
Copy item. Selected it... but nothing 
seems to happen. 

4. Double-click on the folder that you 
wish to copy the file to. OK, found it. 

5. Open the Edit menu again and 
click on the Paste item. Oh... so that's 
how it works. 

Somehow, a simple operation grew 
from one step to multiple steps. More- 
over, there was nothing intuitive about 
it. I mean, who would think of using an 
Edit menu to move or copy a file? 

I am, of course, being unfair to the 
WIMP After all, it does many things that 
the command line cannot. The point is, no 
single mode of computer-human interac- 
tion can address all user-interface chal- 
lenges. Sometimes, the command line is 
best and sometimes the WIMP is. And for 
some systems, neither is best. Flatbed 
scanners, for example, were a mystery to 
many consumers until vendors wisely 
replaced some GUI-based controls with 
physical buttons like "Copy" and "Mail." 

In fact, some systems do best with 
multiple forms of computer-human 
interaction, not just one. Consider, for 
example, an in-car infotainment unit 
that offers 3D navigation, real-time traf- 
fic reports, CD/DVD playback and iPod 
connectivity. A voice-controlled inter- 




face, with its ability to minimize driver 
distraction, is a natural choice here. That 
said, some functions will always be easi- 
er to control with a quick and simple 
button press. Thus, the system may also 
need a touch screen, along with a few 
physical buttons. 

But here's the thing. It isn't always 
easy to determine up front which func- 
tions should be controlled by 
voice, which by touch 
screen, which by physical 
buttons, and which by some 
combination of the above. 
You must work closely with 
users to gauge which mode 
of interaction (or which com- 
bination of modes) works 
best and then fine-tune your 
interface accordingly. 

This calls for a software 
architecture that not only supports mul- 
tiple forms of user interaction, but also 
allows any feature to be controlled by a 
GUI one day, and by a voice interface the 
next. Simply put, you need an architec- 
ture that keeps your UI design options 
open. 

You also need an architecture that 
keeps your UI available. The most bril- 
liant user interface is useless if it locks up 
or becomes temporarily unavailable be- 
cause the system is too busy doing some- 
thing else. In a network, for example, a 
router that fails to provide performance 
data because it is swamped handling 
alarm conditions prevents operators from 
taking appropriate action. Likewise, if the 
HMI for a chocolate factory control sys- 
tem stops responding whenever the sys- 
tem experiences a high level of motor 
control, then operators can't take action if 
a critical event occurs. Fifty thousand 
ruined candy bars, anyone? 

The more complex the system, the 
more likely such problems will happen. 
To avoid them, system designers must 
choose operating systems and middle- 
ware frameworks that can provide a guar- 
anteed amount of CPU time and memo- 
ry for user-interface functions, regardless 
of how busy the system becomes. Such 
resource guarantees can also thwart 
denial-of-service attacks and other net- 
work-based exploits that monopolize sys- 
tem resources and thereby prevent users 
from accessing the UI. 

Put simply, to create a successful inter- 
face for any complex product, you have to 
go beyond skin deep. You must be con- 
cerned not only with the layer that the 
user sees, hears or touches, but also with 
the underlying software that ensures the 
interface is constantly available and quick 
to respond. 

Because, after all, nobody likes wimpy 
response times. I 

Dan Dodge is CEO of QNX Software 
Systems. 
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ALMOST IMMEDIATELY after the 
Unlawful Internet Gambling Enforce- 
ment Act (UIGEA) was attached to an 
anti-terrorism bill last year, a cloud of 
confusion filled the air. The U.S. Con- 
gress neglected to specify what consti- 
tutes illegal gambling, but required 
financial institu- 
tions to cut off 
the cash flow to 
parts of the world 
where gambling 
is not prohibited. 
Now, the World Trade Organization has 
gone all in. On March 30, a WTO tri- 
bunal ruled UIGEA out of bounds, find- 
ing against U.S. restrictions on Internet 
gambling after the government of 
Antigua raised objections. Rep. Barney 
Frank (D-Mass.) has brought legislation 
before the U.S. House of Representa- 
tives to repeal the ban, and the smart 
money is on the "illegal" gambling oper- 
ations overseas. But what's the point of 
all of this anyway? In the age of Internet 
banking and offshore hosting, how is it 
even possible to prevent money from 
being transferred? 

-David Worthington 

I RECENTLY PURCHASED a software 
music-making program called Magix 
Music Maker, a do-it-yourself kit perfect 
for a creatively neu- 
rotic person like 
me. I enjoy it most- 
ly because I can 
build my own drum 
beats, and add vari- 
ous synthesizer 
sounds via drag- 
and-drop functionality. I'm not exactly 
Mozart, but I now have the ability to add 
my own keyboard licks, along with bass 
and guitar riffs. I know that some tradi- 
tional folks would decry such a technol- 
ogy-driven method of music creation, 
but I have no problem shrugging them 
off. I've been in bands before and have 
found that the mentality of a band can 
be a fragile thing. In fact, I nearly gave 




up on music altogether because of the 
difficulty in finding compatible musi- 
cians. Now with the help of a software 
program, it's a one-man show. 

-Jeff Feinman 

WHEN A RECENT CREDIT card 
statement came to the house, I noticed 
a charge I hadn't made. It was identified 
as a PayPal transaction. Now, I have a 
PayPal account, set up to help facilitate 
the sale of an extra pair of tickets I had 
for Springsteen at Shea Stadium in 
October 2003, but I haven't used it 
since. I called the credit card company, 
which told me I had to call the PayPal 
phone number listed on my bill. Upon 
getting a live person — I STILL hate the 



countless requests to punch in or speak 
my 16-digit account number and my 
mother's maiden name, only to have to 
repeat them because his system isn't 
integrated with the call center system 
that was designed to speed up the pro- 
cessing of my call — I explained that I 
hadn't used the account. He told me 
right away that they, too, had identified 
the charge as fraudulent, and that I'd be 
getting a credit. He also said that some- 
one probably got my account number 
and tried to use it with an online trans- 
action, and that I should have that card 
canceled out and get a new one. He 
wouldn't tell me how he could tell the 
transaction was a fraudulent one, but I 
felt better knowing that when it comes 
to protecting my identity, I'm not fight- 
ing alone. 

-David Rubinstein 



LETTERS TO THE EDITOR 

Use Your Imagination 



In response to the letter to the editor 
"Bedazzled and Bewildered" by Charlie 
Clarke, published in the June 1 issue 
[page 54]: 

I, too, have read the article written on 
Mr. Cohen and his inventions. First of 
all, may I ask why you wrote at length 
about hydro-foils — to the extent of giv- 
ing links to other Web sites? One has to 
wonder whether or not you used Mr. 
Cohen as a roundabout way of bringing 
attention to those sites, for I see no men- 
tion of that type of watercraft in that par- 
ticular article. Or perhaps your "out of 
context" imagination ran amuck. As for 
Mr. Cohen's USCIIIIII code, you might 
be interested in knowing that linguists 
have recognized that the Hebrew lan- 
guage is the Root, shall we say, for the 
Family Tree of languages. So Mr. Cohen 
is right on target! 

I am by profession a writer and as 
such would like to let you in on a major 
creative/intuitive secret. It is in the 
IMAGINATION that ALL inventions 
first begin. That is the human tool given 
to us that has taken mankind out of the 



Dark Ages and into the highly developed 
society we now enjoy with its telephones 
(now that inventor was very imagina- 
tive), TVs, PCs, automobiles, aircraft, 
spacecraft, and of course the list goes on 
and on. Mr. Clarke, I would suggest that 
rather than insulting the intelligence/ 
imagination of other people, which, by 
the way, also insulted ALL creative peo- 
ple who bring new things to our world, 
you might instead thank them for their 
diligence in struggling to break through 
the resistance of old ideas and new 
ignorances of those naysayers who with- 
out understanding the artist at work sees 
only their own blank canvas where imag- 
ination has stepped out for lunch. 

To Mr. Cohen — if you are reading 
this — because I intuitively sense that you 
are onto something great, I wish you all 
the best in connecting with the right peo- 
ple to help bring those ideas to fruition. I 
distributed Mr. Rubinstein's column to 
those on my mailing list. Where would 
we be today without our inventors?! 

Annette Morash 

Vancouver Island, B.C. 



Asia-Pacific to See Explosion 
in Developer Numbers 

New figures released by Evans Data in May indicated that 
between 2006 and 2010, the company estimates that the 
global developer population will grow by nearly half, with 
the Asia-Pacific region experiencing the highest rate of 
growth at 84.1 percent, slightly more than double that of 
runner-up Latin America's 41.9 percent. But Latin America 
is expected to add the fewest developers of any region, at 
around 341,000— or about 108,000 fewer developers than 
the relatively mature North American market, according to 
the research firm's Global Developer Population and 
Demographics Report, Volume I. Europe and the Middle 
East are expected to add 1,654,000 developer jobs, for a 
relatively healthy growth rate of 36.7 percent. 
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SOA Begins at the Data Layer 



Those who build SO As have one thing 
in common — the use of services to 
create an architecture that's both agile 
and better supports reuse. While services 
are a key component to SOA, the "A" in 
SOA stands for "Architecture," and that's 
where you need to begin... working from 
the data up to the services. 

Think of SOA in layers, as with most 
architecture. Typically, at the lowest level 
you have information, either existing in 
databases or enterprise applications. The 
services sit on top of the data, both as 
transactional services that are more 
behavior-oriented and as data services 
that are more data-oriented. From there 
you move up into messaging (ESB, for 
instance, and it's optional), and perhaps a 
process/orchestration layer for forming 
and reforming the services into true busi- 
ness solutions. Of course, you have to 
keep track of the services using registries 
and repositories (SOA governance real- 
ly), and security systems to ensure that no 
bad or dumb people access your services. 

So, given that SOA is so complex, why 
focus on the data first? It's really about 
building the right foundations for your 
architecture, and data is the place to 
start. Indeed, as we build SOAs, the first 
step is having a clear, semantic under- 
standing of the problem domain, and 



SOA Watch 



then dealing with logical abstraction of 
the data, and how the data exists within 
services. Let's start from the beginning. 

Having a semantic understanding of 
your problem domain means that you 
know information about all of the infor- 
mation aggregated and abstracted with- 
in your SOA, including what, where, 
why, who, how and validation. This, in 
essence, becomes the SOA 
metadata layer that allows you 
to mix and match the right 
data within the right services 
to make sure you have all of 
the services exposed to solve 
any potential business prob- 
lems, now and into the future. 
This means that all databases 
and enterprise applications 
must be understood at the 
semantic levels, including 
their interfaces, security issues and any- 
thing else that matters to other entities 
that are consuming the information. 

This is where most SOAs fall down, 
considering that the architects are just not 
willing to gain a complete understanding 
of the application semantics, and thus 
can't build useful services, and thus the 
services can't be orchestrated into solu- 
tions. So, you need to bite the bullet now, 
and gain a complete semantic under- 




standing before moving up the stack. 

So, what does this mean? It means 
going over data dictionaries, reverse- 
engineering database schemas, actually 
reading ERP and CRM application man- 
uals, and other unnatural acts that most 
are not willing to do. Moreover, you must 
understand as well as record, including 
entering this semantic information into a 
design repository, design-time 
governance system, or worst 
case, Microsoft Excel. 

Next, let's think about 
abstraction, or the ability to 
reshape the underlying, typi- 
cally ugly structures into 
something that's useful for 
our SOA. There are two com- 
ponents of this abstraction: 
logical and physical. 

Logical data abstraction is 
a design-time concept, meaning that we 
are taking the existing physical and logi- 
cal database structure and remapping it 
so that it has better logical order for the 
services we are exposing. We create gen- 
eral entities for particular concepts such 
as customer, product, sales and the like. 
Typically these entitles are made up of 
many different and diverse databases 
that are combined together through a 
virtual schema that only exists within 



middleware, but is an abstraction of 
many back-end physical databases of all 
shapes, sizes and types. 

Next we think about the physical 
abstraction, or actually selecting data- 
base abstraction software, and creating 
the physical maps from the back-end 
databases to the virtual representations. 
Guys like Composite Software typically 
work well here, providing a configura- 
tion layer between the back-end physical 
databases, no matter how bad the 
designs, to a well-defined virtual 
schema, but with improved logical map- 
pings of the information to meet the 
needs of our SOA. Moreover, since the 
mapping exists within the configuration 
layer, the physical database is not cou- 
pled to the abstraction, thus is change- 
able at any time, and thus provides bet- 
ter support for agility. 

So, while the data is indeed boring to 
many developers, not paying attention to 
it means not building the proper foun- 
dation for your SOA. Those who miss 
this step will fall down later, claiming it 
was the concept of SOA that caused 
their issues, when really it was their own 
darn fault. Neglecting the information is 
the most common mistake being made 
as organizations implement their first 
SOAs. Don't be part of that crowd. I 

David S. Linthicum is the CEO of 
the Linthicum Group. Reach him at 
david@linthicumgroup. com. 
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Those Stinking Users 



Perhaps the only thing worse than a 
slow uptake of your application is a 
smash hit. Users have a way of outfox- 
ing everything, including load tests, 
and the imperative to respond to 
existing customers can absorb all the 
working hours of a team that is sched- 
uled to move on to the next version. 
Worse, when a product is exposed to an 
order of magnitude more users than 
planned and when the product is used 
more intensely than anticipated, the 
defect list grows rapidly, potentially 
panicking the team into treating the 
symptoms, not the causes. The result- 
ing chaos can easily derail a team, 
especially one new to agile processes, 
where "the customer is always right" 
and being responsive were the 
values that led to the success in the 
first place. 

Not long ago, I witnessed this very 
problem. I was engaged to work on the 
requirements and architecture of The 
Next Phase, which didn't seem to have 
a lot to do with The Current Deploy- 
ment, whose two big features were a 
comprehensive audit trail for manage- 
ment and a Web-based "dashboard" 
that gave users a much better view of 
their own context. Following the 
principles of "You Ain't Gonna' Need 
It" and "Don't Repeat Yourself," the 



dashboard and the auditing facilities 
used the same messages to request 
information; the dashboard, of course, 
stripped out the huge blobs of auditing 
data and presented a much-compressed 
summary. What was not anticipated 
(note the use of the passive tense 
to avoid blame) was that the users 
found the historical perspec- 
tive of the dashboard very 
valuable and configured their 
dashboards to retrieve not 
just a day or two of history, 
but often everything they 
did in the past month. Fur- 
ther, once the initial group of 
users saw The Current 
Deployment, the client com- 
pany went from a cautious 
ramped deployment to "We 
want to give this to everyone, starting 
Monday." 

Wonderful, right? Well, not so 
much. The documents coming back to 
the presentation layer were huge and 
the response times quickly degraded. A 
quick look at the server's performance 
monitors showed that memory was 
thrashing terribly — it was paging data 
on and off the disk continuously. 
"Let's add RAM," was the natural 
"Simplest Thing That Could Possibly 
Work." Except, I opined, I didn't 



Windows &. NET Watch 




think it could possibly work. Max out 
the RAM? Of course try it. But every- 
thing we were seeing pointed toward 
the situation getting worse, and proba- 
bly in a nonlinear way, since the suc- 
cess of the dashboard led to further 
exploration of alternatives, increasing 
the amount of auditing data that we 
were storing and subse- 
quently retrieving and then 
discarding. 

The solution, I suggested, 
was that the dashboard had 
to work not with the general 
"all information" request- 
and-response, but with a 
new set of queries that were 
designed to contain just the 
summary data. They had to 
push the processing back 
into at least the middle layer (where it 
could be cached and shared between 
clients) and possibly all the way back 
into the database (where we could, if 
necessary, even adopt a summarize-on- 
update strategy that would minimize 
retrieval-time processing). Not an 
intimidating task, but certainly not 
something to be dashed off 
and slipstreamed into the current 
deployment. What they could slip- 
stream was a flag to chop the auditing 
data off at the database layer, a sugges- 



tion that made everyone frown in 
distaste (and, sure enough, turned out 
to have unforeseen consequences). 

The development manager was 
downcast. Here he had supervised a 
successful development cycle, result- 
ing in on-time delivery of a product 
that delivered more value than the cus- 
tomer had anticipated. The decisions 
made along the way were, individually, 
reasonable: I hadn't designed the dash- 
board messages, but if I had, I would 
have agreed, "Yeah, summarizing the 
data is a presentation-layer concern." 
They had done load testing and every- 
thing had looked great — according to 
the use cases they'd developed for. 
Now, suddenly we were looking at 
delaying The Next Phase for a six-week 
sprint that felt like we were fixing 
screw-ups, not just with the dashboard 
issue, but because the success of the 
system brought myriad trivial but time- 
consuming defects (I've never seen so 
many "TO DO" comments flushed out 
so fast). 

As we wrapped up a multihour ses- 
sion that had hardly touched upon The 
Next Phase, I could see the frustration 
on his face and I knew what he was 
thinking: Software development would 
be so much easier if it weren't for those 
stinking users. I 

Larry O'Brien is a technology consul- 
tant, analyst and writer Read his hlog at 
www. knowing, net. 



The history of computing is marked 
by technologies that started out as 
elegant solutions to a single problem 
and then morphed into a more com- 
prehensive product. 

Java is an example (recall that at its 
release, it was positioned as an "Internet 
language" and it enabled dynamic con- 
tent via applets). So is the Web, which 
was at one time just another protocol for 
finding data on the Internet. Gopher 
and other protocols were seen as com- 
peting tools for locating information. 

Other technologies emerge to solve 
a single problem and then slowly 
morph into legacy solutions. They 
don't enjoy a wider rebirth into new 
problem domains. Rather, they begin 
to obstruct progress by maintaining the 
status quo of their original vision in a 
world that is constantly advancing. One 
such tool, in my opinion, is Ant. 

Ant was a big step forward for Java 
developers when it first came out in 
2000. It was portable and it did away 
with the quirky syntax of make. 
Instead, it used XML, which could be 
read easily and validated for syntactical 
correctness — two steps in the right 
direction. Unfortunately, only two, as 
the Ant syntax definitely has limita- 
tions. Long scripts are hard to 
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Moving Past Ant 

follow and, at times, to untangle. This 
aspect is made worse by limited debug- 
ging options and make-you-crazy error 
messages. 

The choice of XML also has draw- 
backs: It is not expressive, and it lacks 
proper built-in logical capabilities. To 
do anything involving logic flows, you 
need to drop down to the 
task level, write your logic 
there, and then reintegrate 
that task with Ant's "do this, 
do that" design. This has the 
effect of forking the level of 
abstraction: The logic should 
go at the higher level (the 
Ant file) and direct the indi- 
vidual tasks, not force the 
tasks to determine build 
state and make decisions 
from within. In essence, an effective 
build system probably cannot be built 
on XML anymore, I don't believe, 
especially given the complexity of 
builds today. 

Ant does not support the concept of 
touch as it is found in make — an 
important omission. Because make 
compiles only those files that have 
been modified since the last compila- 
tion, you use a utility called touch to 
change the modification date of a file 




should you want to force its include in 
the build. Ant has no concept of build- 
ing the minimum number of files 
required. This responsibility devolves 
to the individual tools Ant calls. How- 
ever I, for one, want my build tool to 
be intelligent in this regard and make 
sure that the minimum amount of work 
is performed. 

Then there is Ant's love- 
hate relationship with JUnit. 
JUnit is unaccountably not a 
default task for Ant. You 
have to configure it sepa- 
rately. Ant also made it near- 
ly impossible to run JUnit 4 
tests until release 1.7 of Ant 
in December of last year. 
This to me is an impermissi- 
ble inversion of control, so 
to speak: My build tool should not be 
determining which tools I can and can- 
not run. 

I could go on with other foibles, but 
I am not looking to indict a useful tool; 
I am suggesting that we need to move 
toward a scripting-type build facility 
with elements of modern programming 
languages built in. These include sub- 
stantial logic and program flow capabil- 
ities, state preservation and macros, as 
well as debugging features. And, of 



course, this language should allow me 
to run any task without having to 
depend on other developers to write 
functionality for me. 

To Ruby- aware readers, this descrip- 
tion sounds somewhat like Rake, and in 
fact, Rake fills many of these goals. 
However, I want a Java solution for Java 
products and for the time being I pre- 
fer a Java-hosted build system because 
of the much wider platform support 
Java enjoys. One possible solution is 
JRake, which is a Java version of Rake. 
It recently was folded into the Raven 
project (raven.rubyforge.org) While 
this project is heading the right way, 
many developers will feel that the Ruby 
tinge is a curious distraction (wrapping 
jar files into Gems is an odd thing for a 
pure Java developer). 

Gant (groovy.codehaus.org/Gant), 
which uses the Java-based Groovy 
scripting language, is another possibili- 
ty, although the end result is an 
Ant file, so some of the key limitations 
are preserved. There are a few other 
build systems, but they are mostly 
modeled on make or Ant. What I 
think we need is a whole new solution. 
And as builds become increasingly 
complex, this need will quickly become 
urgent. I 

Andrew Binstock is the principal ana- 
lyst at Pacific Data Works. Read his 
hlog at binstock.blogspot.com. 
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Life on the edge is dangerous. It's 
exciting and unpredictable. It offers 
new and unexpected twists. 

Some people enjoy living on the 
edge. Don't count most development 
managers among them. 

Applications that need to support 
Web services, integrate with outside 
applications and stay in sync with a back- 
end data system live on the 
edge of the enterprise, teth- 
ered by ropes that seem to 
constantly unravel. The edge is 
where all kinds of trouble can 
arise. But it's also where much 
innovation springs, as organi- 
zations look to gain control of 
the chaos that breeds there. 

To control the edge, you 
must be able to control 
change, because that's what 
the edge is all about. Paulo Rosado, 
CEO of Europe-based change manage- 
ment solutions provider OutSystems, 
has studied IT life on the edge for years, 
and he believes two things are needed to 
win at the edge: an agile approach and 






cheap transfer of knowledge. 

Rosado learned this years ago, when 
he tried to implement a solution that 
would enable transactional applications 
to function on extranets. "We never got 
the thing into production," he admitted. 
"We could never close the scope up 
front." What he learned is that the con- 
stant addition of features during devel- 
opment is part of an ongoing 
process, and that it's OK to 
make mistakes in scope so 
long as you can make changes 
cheaply. "For us, it's not the 
building that's fundamental; 
it's the change." 

Business-sawy developers 
understand the need for agili- 
ty. "They want to get some- 
thing out and get immediate 
feedback," Rosado said. 
"Then, you iterate again." Instead of 
doing large code merges every few 
weeks, they should happen every few 
hours so the team can face problems 
incrementally, and not in one gigantic 
iteration. "If you try to shoehorn water- 
fall processes here, 
most times developers 
will be idle," he noted, 
as they wait for new 
requirements and a 
firm codebase from 
which to work anew. 

Once the business 
side realizes how 
responsive the organi- 
zation is to change, the 
scope of requests is 
smaller, and if some- 
thing crucial arises 
that needs to be tack- 
led, there is confi- 
dence the team can 
get it done in weeks, 



- 



instead of months. 

But this flexibility cannot be achieved 
without thorough knowledge of the 
code. "A lot of the complexity of change 
has to do with knowledge transfer," 
Rosado said. "The guy who built it isn't 
always the guy who has to change it." 

Rosado told of a company that hired 
a consultancy to write its code, and when 
it came back, the company would have 
its people reverse-engineer it to gain 
understanding and control. Consultants, 
Rosado opined, don't like when compa- 
nies want to know what's going on in the 
code. "Control of the code is what keeps 
the customer locked in," Rosado said. 
"They hold customers hostage with 
unwieldy code, and ownership goes to 
the service provider. The product road 
map is now not in anyone's control. With 
cheap knowledge transfer, you gain flex- 
ibility Now, you can outsource, or off- 
shore, and retain control." 

Another of his anecdotes involved an 
invoice approval system. Cost center 
directors had agreed to move from 
paper to a digital process that allowed 
them to signal their approval for an 
expenditure by typing a password into a 
browser box. 

When Rosado's team rolled out the 
new system, it became clear that most of 
these directors wanted to retain the 
process of having their personal assis- 
tants work up an approval form for them 
to sign. So, some of the directors gave 
their passwords to their assistants, who 
now suddenly could approve spending 
up to €25,000 without any control. 
Because of the agility of the solution, a 
new version, which created a new role 
allowing the assistants to see everything 
the director could see and prepare an 
electronic form for digital signature, was 
completed in three weeks. 

That's life on the edge. I 

David Rubinstein is editor-in-chief of 
SD Times. 



Business briefs 



Dundas Software's data visualization tools will ship as a native 
part of Microsoft's SQL Server 2008, under the terms of a June 
4 announcement that Microsoft has acquired Dundas' intellectual 
property. Dundas has license to sell its Dundas Chart solution in 
advance of SQL Server's general availability next year, according 
to the announcement of the deal. Going forward, Dundas Chart 
will be jointly developed, but Microsoft has the final say on devel- 
opment, said Dundas president Troy Marchand. New integrations 
will be included when the SQL Server release ships. "In respect to 
the deal, people can use tomorrow's technology today. What we 
are selling today will be in the next version of SQL Server 2008. 
There is a complete migration path, and investments will not be 
lost tomorrow," said Marchand . . . Software-as-a-service provider 
OpSource has raised US$15 million in capital through a Series D 
round of financing, led by Crosslink Capital with participation 
from Artiman Ventures. OpSource will use the funds to build out 
On-Demand, its Web application delivery platform. The round of 
financing brings the total raised to $47 million. "Crosslink invest- 
ed in OpSource because it has established a highly differentiated 



position as the leading provider of infrastructure and application 
services for Web-based solutions. OpSource has an exceptional 
management team, both strategically insightful and operationally 
strong. We expect great things from the company," said Gary Hro- 
madko, Crosslink Capital venture partner and new member of the 
OpSource board of directors. 

EARNINGS: The SCO Group reported second-quarter fiscal 
2007 revenue of US$6,014 million, down from $7,126 million from 
the prior year, continuing a trend of downward-spiraling revenues. 
For the quarter, the company posted a net loss of $1,143 million, 
which marks an improvement from the loss of $4,694 million from 
the same quarter a year earlier. The company attributed the 
reduction in loss to lower operating costs and fewer expenses 
relating to the company's legal challenges regarding its Unix intel- 
lectual property. The company claims the decrease in revenue is 
attributable to competitive pressures on its Unix business, appar- 
ently discounting the ill will it has generated in the industry with 
its legal maneuverings. I 



events calendar 



Web Design World 


July 9-11 


Seattle 




1105 MEDIA 




www.ftponline.com/conferences 




Open Source Convention 


July 23-27 


Portland, Ore. 




O'REILLY MEDIA 




conferences.oreillynet.com/os2007 




SCO Tec Forum 


Aug. 5-7 


Las Vegas 




SCO GROUP 




www.sco.com/2007tecforum 




SIGGRAPH 


Aug. 5-9 


San Diego 




ASSOCIATION FOR COMPUTING MACHINERY 


www.siggraph.org/s2007 




LinuxWorld 


Aug. 6-9 


San Francisco 




IDG WORLD EXPO 




www.linuxworldexpo.com 




SHARE 


Aug. 12-17 


San Diego 




SHARE 




www.share.org 




Actuate International 


Aug. 13-15 


Users Conference 




Las Vegas 




ACTUATE 




www1.event-projects.com/evo/AIUC2007 




Agile 2007 


Aug. 13-17 


Washington, D.C. 




AGILE ALLIANCE 




www.agile2007.com 




BEAWorld 


Sept. 10-12 


San Francisco 




BEA SOFTWARE 




www.bea.com/beaworld 




VMworld 2007 


Sept. 11-13 


San Francisco 




VMWARE 




www.vmware.com/vmworld 




Secure 


Sept. 12-13 


Development World 




Alexandria, Va. 




SDW 




www.securedevelopmentworld.com 




VSLive 


Sept. 16-19 


New York 




1105 MEDIA 




www.ftponline.com/conferences/vslive 




Dreamforce 2007 


Sept. 16-19 


San Francisco 




SALESF0RCE.COM 




www.salesforce.com/dreamforce 




High Performance 


Sept. 17 


on Wall St. 




New York 




FLAGG MANAGEMENT 




www.highperformanceonwallstreet.com 




Software Test 


Oct. 2-4 


& Performance Conference 


Cambridge, Mass. 




BZ MEDIA 




www.stpcon.com 




EclipseWorld 


Nov. 6-8 


Reston, Va. 




BZ MEDIA 




www.eclipseworld.net 





For a more complete calendar of U.S. software 
development events, see www.bzmedia.com/calendar. 
Information is subject to change. Send news about 
upcoming events to events@bzmedia.com. 
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HOSTED OR INSTALLED 

OnTime works Hie way you do. It includes 
interfaces for Windows, web, on a Visual 
Studio .NH. Use one, two, or all three. Run 
it focally or as an Axosoft Hosted Service, 

• Windows 

• Web 

• VisualStudio.NET 
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Project Management 

for software development teams 

AGILE * SCRUM • EXTREME 




INTEGRATED 

bug tracking * requirements management 
help desk incident & ticket tracking 
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ffifli^ Visit axasoft.com for downloads (free single-user licenses & tree 
^fljjjjj^* 30-day team trials), live web demos, overview and tutorial videos, 
blogs. forums, and much more. We won't waste your time — 
we'll help you ship software on time. Guaranteed. 
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